CloudFactory Eliminates “Head Scratching” with Cato XDR

More than just introducing XDR today, Cato announced the first XDR solution to be built on a SASE platform. Tapping the power of the platform... Read ›
CloudFactory Eliminates “Head Scratching” with Cato XDR More than just introducing XDR today, Cato announced the first XDR solution to be built on a SASE platform. Tapping the power of the platform dramatically improves XDR's quality of insight and the ease of incident response, leading to faster incident remediation. "The Cato platform gives us peace of mind," says Shayne Green, an early adopter of Cato XDR and Head of security operations at CloudFactory. CloudFactory is a global outsourcer where Green and his team are responsible for ensuring the security of up to 8,000 remote analysts ("cloud workers" in CloudFactory parlance) worldwide. "When you have multiple services, each providing a particular component to serve the organization’s overall security needs, you risk duplicating functionality. The primary function of one service may overlap with the secondary function of another. This leads to inefficient service use. Monitoring across the services also becomes a headache, with manual processes often required due to inconsistent integration capabilities. To have a platform where all those capabilities are tightly converged together makes for a huge win," says Green. Why CloudFactory Deployed Cato XDR Cato XDR is fed by the platform's set of converged security and network sensors, 8x more native data sources than XDR solutions built on a vendor's EPP solution alone. The platform also delivers a seamless interface for remediating incidents, including new Analyst Workbenches and proven incident response playbooks for fast incident response. From policy configuration to monitoring to threat management and incident detection, enterprises gain one seamless experience. "Cato XDR gives us a clear picture of the security events and alerts," says Green. "Trying to pick that apart through multiple platforms is head-scratching and massively resource intensive," he says. Before Cato, XDR would have been infeasible for CloudFactory. "We would need to have all the right sensors deployed for our sites and remote users across the globe. That would have been a costly exercise and very difficult to maintain. We would also have needed to ingest that data into a common datastore, normalize the data in a way that doesn't degrade its quality, and only then could we begin to operate on the data. It would be a massive effort to do it right; Cato has given us all that instantly," he says. Cato XDR Streamlines CloudFactory’s Business Collaboration With Cato XDR deployed, Green found information that proved helpful at an operational level. "We knew that some BitTorrent was running on our network, but Cato XDR showed us how much, summarizing all the information in one place and other types of threats. With the evidence consolidated on a screen, we can easily see the scale of an issue. The new AI summary feature helps to automate a routine task. "We just snip-and-send the text describing the story for our internal teams to act on. The AI summary provides a very clear and simple articulation of the issue\finding. This saves us from manually formulating reports and evidence summaries." "Having a central presentation layer of our security services along with instant controls to remediate issues is of obvious benefit " he says. "We can report on millions of daily events to show device and user activity, egress points, ISP details, application use, throughput rates, security threats and more.  We can see performance pinch points, investigate anomalous traffic and application access, and respond accordingly. The power of the information and the way it is presented makes the investigations very simple. Through the workbench stories feature, we follow the breadcrumb trail through the verbose data sets all the way to a conclusion. It's actually a fun feature to use and has provided powerful results - which is super useful across a distributed workforce." [boxlink link="https://www.catonetworks.com/resources/the-industrys-first-sase-based-xdr-has-arrived/"] The Industry’s First SASE-based XDR Has Arrived | Download the eBook [/boxlink] "Before Cato, we would often be scratching our heads trying to obtain meaningful information from multiple platforms and spending a lot of time doing it. The alternative would be very fragmented and sometimes fairly brittle due to the way sets of information would have to be stitched together. With Cato, we don't have to do that. It's maintained for us, and the information is on tap." The Platform: It's More Than Just Technology However, for Green, the notion of a platform extends far beyond the technical delivery of capabilities. "Having a single platform is a no-brainer for us. It's not just the technology. It also gives us a single point of contact for our networking and security needs, and that's incredibly important. Should we see the need for new features or enhancements, or if we have problems, we're not pulled from pillar-to-post between providers. We have a one-stop shop at Cato," says Green.  "What I like about the partnership with Cato is how they respond to our feedback," he says. "There's been several occasions where we've asked for functionality or service features to be added, and they have been. That's fantastic because it strengthens the Cato platform, the partnership, and, most importantly, the service we can provide our clients. To learn more about the CloudFactory story, read the original case study here.

Cato XDR Proves to Be a “Timesaver” for Redner’s Markets

“The Cato platform gave us better visibility, saved time on incident response, resolved application issues, and improved network performance ten-fold.”   Nick Hidalgo, Vice President of... Read ›
Cato XDR Proves to Be a “Timesaver” for Redner’s Markets “The Cato platform gave us better visibility, saved time on incident response, resolved application issues, and improved network performance ten-fold.”   Nick Hidalgo, Vice President of IT and Infrastructure at Redner’s Markets  At what point do security problems meet network architecture issues? For U.S. retailer Redner’s Markets, it was when the company’s firewall vendor required backhauling traffic just to gain visibility into traffic flows.   Pulling traffic from the company’s 75 retail locations across Pennsylvania, Maryland, and Delaware led to “unexplainable” application problems. Loyalty applications failed to work correctly. Due to the unstable network, some of the grocer’s pharmacies couldn’t fax in their orders.    Those and other complaints led Redner’s Markets’ vice president of IT and infrastructure, Nick Hidalgo, and his team to implement Cato SASE Cloud. “Transitioning to Cato allowed us to establish direct traffic paths from the branches, leading to a remarkable 10x performance boost and vastly improved visibility,” says Hidalgo. “The visibility you guys give us is better than any other platform we’ve had.”  [boxlink link="https://www.catonetworks.com/resources/protect-your-sensitive-data-and-ensure-regulatory-compliance-with-catos-dlp/"] Protect Your Sensitive Data and Ensure Regulatory Compliance with Cato’s DLP | Download the White Paper [/boxlink] Redner’s Markets’ Trials Cato XDR   When the opportunity came to evaluate Cato XDR, Hidalgo and his team signed up for the early availability program. “With our firewall vendor’s XDR platform, we only get half the story. We can see the endpoint process that spawned the story, but we lack the network context. Remediating incidents requires us to jump between three different screens.”  By contrast, Cato XDR provides an Incident Detection and Response solution spanning network detection response (NDR) and endpoint detection response (EDR) domains. More than eight native, endpoint and network sensors feed Cato XDR - NGFW, SWG, ATP, DNS, ZTNA, CASB, DLP, RBI, and EPP. Typically, XDR platforms come with one or two native sensors and for most that means native data only from their EPP solution Cato XDR can also ingest data from third-party sensors.   Cato automatically collects related incidents into detailed Gen-AI “stories”  using this rich dataset with built-in analysis and recommendations. These stories enable analysts to quickly prioritize, investigate, and respond to threat.AI-based threat-hunting capabilities create a prioritized set of suspected incident stories. Using Gen-AI, SOC analysts can efficiently manage and act upon stories using the incident analysis workbench built into the Cato management application.  With Cato, Hidalgo found XDR adoption and implementation to be simple. “We fully deployed the Cato service easily, and each time we turn on a capability, we immediately start seeing new stories,” he says. “We enabled Data Loss Prevention (DLP) and immediately identified misuse of confidential information at one of our locations.”  Having deployed Cato XDR and Cato EPP, Hidalgo gains a more holistic view of an incident. “Within our events screen, we now have a single view showing us all of the network and endpoint events relating to a story.”   More broadly, Cato’s combination of deep incident insight and converged incident response tools has made his team more efficient in remediating incidents. “Cato XDR is a timesaver for us,” he says. “The XDR cards let us see all the data relating to an incident in one place, which is valuable. Seeing the flow of the attack through the network – the source of the attack, the actions taken, the timeframe, and more – on one page saves a lot of time. If a user has a network issue, I do not have to jump to various point product portals to determine where the application is being blocked.”  Overall, the Cato platform and Cato XDR have proved critical for Redner’s Markets. “The Cato platform gave us better visibility, saved time on incident response, resolved application issues, and improved network performance ten-fold.” 

Cato Taps Generative AI to Improve Threat Communication

Today, Cato is furthering our goal of simplifying security operations with two important additions to Cato SASE Cloud. First, we’re leveraging generative AI to summarize... Read ›
Cato Taps Generative AI to Improve Threat Communication Today, Cato is furthering our goal of simplifying security operations with two important additions to Cato SASE Cloud. First, we’re leveraging generative AI to summarize all the indicators related to a security issue. Second, we tapped ML to accelerate the identification and ranking of threats by finding similar past threats across an individual customer’s account and all Cato accounts. Both developments build on Cato’s already extensive use of AI and ML. In the past, this work has largely been behind the scenes, such as performing offline analysis for OS detection, client classification, and automatic application identification. Last June, Cato extended those efforts and revolutionized network security with arguably the first implementation of real-time, machine learning-powered protection for malicious domain identification. But the additions today will be more noticeable to customers, adding new visual elements to our management application. Together they help address practical problems security teams face every day, whether it is in finding threats or communicating those findings with other teams. Alone, new AI widgets would be mere window dressing to today’s enterprise security challenges. But coupling AI and ML with Cato’s elegant architecture represents a major change in the enterprise security experience. Solving the Cybersecurity Skills Problem Begins with the Security Architecture It's no secret that security operations teams are struggling. The flood of security alerts generated by the many appliances and tools across your typical enterprise infrastructure makes identifying the truly important alerts impossible for many teams. This “alert fatigue” is not only impacting team effectiveness in protecting the enterprise, but it’s also impacting the quality of life of its security personnel.  In a  survey conducted by Opinium, 93% of respondents say IT management and cyber-security risk work has forced them to cancel, delay, or interrupt personal commitments. Not a good thing when you’re trying to retain precious security talent. A recent Cybersecurity Workforce Study from ISC2 found that 67% of surveyed cybersecurity professionals reported that their organization has a shortage of cybersecurity staff needed to prevent and troubleshoot security issues. Another study from Enterprise Study Group (ESG) as reported in Security Magazine, found that 7 out of 10 surveyed organizations (71%) report being impacted by the cybersecurity skills shortage. Both problems could be addressed by simplifying enterprise infrastructure. The many individual security tools and appliances used in enterprise networks to connect and protect their users require security teams to juggle multiple interfaces to solve the simplest of problems. The security analyst’s lack of deep visibility into networking and security data inhibits their ability to diagnose threats. The ongoing discovery of new vulnerabilities in appliances, even security appliances, puts stress on security teams as they race to evaluate risks and patch systems. [boxlink link="https://catonetworks.easywebinar.live/registration-everything-you-wanted-to-know-about-ai-security"] Everything You Wanted To Know About AI Security But Were Afraid To Ask | Watch the Webinar [/boxlink] This is why Cato rethought networking and security operations eight years ago by first solving the underlying architectural problems. The Cato SASE Cloud is a platform first, converging core security tools – SWG, CASB, DLP, RBI, ZTNA/SDP, and FWaaS with Advanced Threat Prevention (IPS, DNS Security, Next Generation Anti-malware). Those tools share the same admin experience and interface, so learning them is easier. They share the same underlying data lake, which is populated with networking data as well, providing the richest dataset possible for security teams to hunt for threats. The Cato platform is always current, protecting users everywhere against new and rising threats without overburdening a company’s security team. Across that platform, Cato has been running AI and machine learning (ML) algorithms to make the platform even simpler and smarter. We combine AI and ML with HI – human intelligence – of our vast team of security experts to eliminate false positives, identify threats faster, and recognize new devices connecting to the network with higher precision. Two New Additions to Cato’s Use of AI and ML It’s against this backdrop that Cato has expanded our AI work in two important ways towards achieving the goal of the experience of enterprise security simpler and smarter. We recognize that security teams need to share their insights with other IT members. It can be challenging for security experts to summarize succinctly the story behind a threat and for novice security personnel to interpret a dashboard of indicators. So, we tapped generative AI to write a one-paragraph summary of the security indicators leading to an analyst’s given conclusion. Story summary is automatically generated by generative AI. We also wanted to find a way to identify and rank threats even faster and more accurately. We tapped AI and ML in the past to accomplish this goal, but today we are expanding those efforts. Using distancing algorithms, we identify similarities between new security stories with other stories in a customer’s account and across all Cato accounts. This means that Cato customers directly benefit from knowledge and experience gained across the entire Cato community. And that’s significant because there’s a very, very good chance that the story you’re trying to evaluate today was already seen by some other Cato customer. So, we can make that identification and rank the threat for you faster and easier. Story similarity quickly identifies and ranks new stories based on past analysis of other similar stories in a customer’s or third-party accounts. A SASE Platform and AI/ML – A Winning Combination The expansion of AI/ML into threat detection analytics and its use in summarizing security findings are important in simplifying security operations. However, AI/ML alone cannot address the range of security challenges facing today’s enterprise. Organizations must first address the underlying architectural issues that make security so challenging. Only by replacing disparate security products and tools with a single, converged global platform can AI be something more than, well, window dressing. For a more technical analysis of our use of Generative AI, see this blog from the Cato Labs Research team.

How to Build the Perfect Network Without SLAs

If you are used to managed MPLS services, transitioning to Internet last-mile access as part of SD-WAN or SASE might cause some concern. How can... Read ›
How to Build the Perfect Network Without SLAs If you are used to managed MPLS services, transitioning to Internet last-mile access as part of SD-WAN or SASE might cause some concern. How can enterprises ensure they are getting a reliable network if they are not promised end-to-end SLAs? The answer: by dividing the enterprise backbone into the two last miles connected by a middle mile and then applying appropriate redundancy and failover systems and technologies in each section. In this blog post we explain how SD-WAN and SASE ensure higher reliability and network availability than legacy MPLS and why SLAs are actually overrated. This blog post is based on the ebook “The Future of the SLA: How to Build the Perfect Network Without MPLS”, which you can read here. The Challenge with SLAs While SLAs might create a sense of accountability, in reality enforcing penalties for missing an SLA has always been problematic. Exclusions limit the scope of any SLAs penalty. Even if the SLA penalties are gathered, they never completely compensate the enterprise for the financial and business damage resulting from downtime. And the last-mile infrastructure requirements for end-to-end SLAs often limited them to only the most important locations. Affordable last-mile redundancy, running active/active last-mile connections with automatic failover, wasn’t feasible for mid to small-sized locations. Until now. SD-WAN/SASE: The Solution to the Performance Problem SD-WANs disrupt the legacy approach for designing inherently reliable last-mile networks. By separating the underlay (Internet or MPLS) from the overlay (traffic engineering and routing intelligence), enterprises can enjoy better performance at reduced costs, to any location. Reduced Packet Loss - SD-WAN or SASE use packet loss compensation technologies to strengthen loss-sensitive applications. They also automatically choose the optimum path to minimize packet loss. In addition, Cato’s SASE enables faster packet recovery through its management of connectivity through a private network of global PoPs. Improved Uptime - SD-WAN or SASE run active/active connections with automatic failover/failback improves last-mile, as well as diverse routing, to exceed even the up-time targets guaranteed by MPLS. [boxlink link="https://www.catonetworks.com/resources/the-future-of-the-sla-how-to-build-the-perfect-network-without-mpls/"] The Future of the SLA: How to Build the Perfect Network Without MPLS | Get the eBook [/boxlink] Reducing Latency in the Middle Mile But while the last mile might be more resilient with SD-WAN and SASE, what about the middle mile? With most approaches the middle-mile includes the public Internet. The global public Internet is erratic, resulting in high latency and inconsistency. This is especially challenging for applications that offer voice, video or other real-time or mission-critical services. To ensure mission-critical or loss-sensitive applications perform as expected, a different solution is required: a private middle mile. When done right, performance can exceed MPLS performance without the cost or complexity. There are two main middle mile cloud alternatives: 1. Global Private Backbones These are private cloud backbones offered by AWS and Azure for connecting third-party SD-WAN devices. However, this option requires complex provisioning and could result in some SD-WAN features being unavailable, limited bandwidth, routing limits, limited geographical reach and security complexities. In addition, availability is also questionable. Uptime SLAs offered by cloud providers run 99.95% or ~264 minutes of downtime per year. Traditional telco service availability typically runs at four nines, 99.99% uptime for ~52 minutes of downtime per year. 2. The Cato Global Private Backbone Cato’s edge SD-WAN devices automatically connect to the nearest Cato PoP into the Cato Global Private Backbone. The Cato backbone is a geographically distributed, SLA-backed network of 80+ PoPs, interconnected by multiple tier-1 carriers that commit to SLAs around long-haul latency, jitter and packet loss. Cato backs its network with 99.999% uptime SLA (~5m of downtime per year). With Cato’s global private backbone, there is no need for the operational headache of HA planning and ensuring redundancy.  As a fully distributed, self-healing service, Cato includes many tiers of redundancies across PoPs, nodes and servers. Cato also optimizes the network by maximizing bandwidth, real-time path selection and packet loss correction, among other ways. Overall, Cato customers have seen 10x to 20x improved throughput when compared to MPLS or an all Internet connection, at a significantly lower cost than MPLS. The Challenge with Telco Services While a fully managed telco service might also seem like a convenient solution, it has its set of limitations: Telco networks lack global coverage, requiring the establishment of third party relations  to connect locations outside their operating area. Loss of control and visibility, since telco networks limit enterprises' ability to change their WAN configuration themselves. High costs, due to legacy and dedicated infrastructure and appliances. Rigid service, due to reliance on the provider’s network and product expertise. Do We Need SLAs? Ensuring uptime can be achieved without SLAs. Technology can help.  Separating the underlay from the overlay and the last mile from the middle mile results in a reliable and optimized global network without the cost or lock-in of legacy MPLS services. To learn more about how to break out of the chain of old WAN thinking and see how a global SASE platform can transform your network, read the entire ebook, here.

With New Third-Party Integrations, Cato Improves Reach and Helps Customers Cuts Costs

Consider this: By the end of 2024, Gartner has projected that over 40% of enterprises will have explicit strategies in place for SASE adoption compared... Read ›
With New Third-Party Integrations, Cato Improves Reach and Helps Customers Cuts Costs Consider this: By the end of 2024, Gartner has projected that over 40% of enterprises will have explicit strategies in place for SASE adoption compared to just 1% in 2018. As the “poster child” of SASE (Forrester Research’s words not mine), Cato has seen first-hand SASE’s incredible growth not just in adoption by organizations of all sizes, but also in terms of third-party vendor requests to integrate Cato SASE Cloud into their software. The Cato API provides the Cato SASE Experience programmatically to third parties. Converging security and networking information into a single API reduces ingestion costs a simplifies data retrieval. It’s this same kind of elegant, agile, and smart approach that typifies the Cato SASE Experience. Over the past year, nearly a dozen technology vendors released Cato integrations including Artic Wolf, Axonius, Google, Rapid7, Sekoia, and Sumo Logic. Cato channel partners, like UK-based Wavenet, have also done their own internal integrations, reporting significant ROI improvements. “So many of vendors who didn’t give us the time-of-day are now approaching and telling us that their customers are demanding they integrate with Cato,” says Peter Lee, worldwide strategic sales engineer and Cato’s subject matter expert on the Cato API.  One API To Rule them All As a single converged platform, Cato offers one API for fetching security, networking, and access data worldwide about any site, user, or cloud resource. A single request allowed developers to fetch information on a specific object, class of events or timeframe – from any location, user, and cloud entity, or for all objects across their Cato SASE Cloud account. This single “window into the Cato world” is one of the telltale signs of a true SASE platform. Only by building a platform with convergence in mind could Cato create a single API for accessing events related to SD-WAN and networking, as well as security events from our SWG, CASB, DLP, RBI, ZTNA/SDP, IPS, NGAM, and FWaaS capabilities. All are delivered in the same format and structure for instant processing. By contrast, product-centric approaches require developers to make multiple requests to each product and for each location. One request would be issued for firewall events, another for IPS events, still another for connectivity events for each enterprise location. Multiple locations will require separate requests. And each product would deliver data in a different format and structure, requiring further investment to normalize them before processing. [boxlink link="https://www.catonetworks.com/resources/the-future-of-the-sla-how-to-build-the-perfect-network-without-mpls/"] The Future of the SLA: How to Build the Perfect Network Without MPLS | Get the eBook [/boxlink] Channel Partners Realizes Better ROI Due to Cato API The difference between the two is more than semantic; it reflects on the bottom line. Just ask Charlie Riddle. Riddle heads up product integration for Wavenet, a UK-based MSP offering a converged managed SOC service based on Microsoft and Cato SASE Cloud.   He had a customer who switched from ingesting data from legacy firewalls to ingesting data from Cato. “Cato’s security logs are so efficient that when ingested into our 24/7 Managed Security Operations Centre (SOC), a 500-user business with 20+ sites saved £2,000 (about $2,500) per month, about 30% of the total SOC cost, just in Sentinel log ingestion charges,” he says. For Cato customers, Wavenet only needed to push the log data into its SIEM, not the full network telemetry data, to ensure accurate event correlation.  And because Wavenet provides both the Cato network and the SOC, Wavenet’s SOC team is able to use Cato’s own security tools directly to investigate alerts and to respond to them, rather than relying only on EDR software or the SIEM itself. Managing the network and security together this way improves both threat detection and response, while reducing spend.   Partners Address a Range of Use Cases with Cato Providing security, networking, and access data through one interface has led to a range of third-party integrations. SIEMs need to ingest Cato data for comprehensive incident and event management. Detection and response use Cato data to identify threats. Asset management systems tap Cato data to track what’s on the network. Sekoia.io XDR, for example, ingests and enriches Cato SASE Cloud log and alerts to fuel their detection engines. "The one-click "cloud to cloud" integration between Cato SASE Cloud and Sekoia.io XDR allows our customers to leverage the valuable data produced by their Cato solutions and drastically improve their detection and orchestration capabilities within a modern SOC platform," Georges Bossert, CTO of Sekoia.io, a European cybersecurity company. (Click here for more information about the integration) Another vendor, Sumo Logic, ingests Cato’s security and audit events, making it easy for users to add mission-critical context about their SASE deployment to existing security analytics, automatically correlate Cato security alerts with other signals in Sumo Logic’s Cloud SIEM, and simplify audit and compliance workflows. “Capabilities delivered via a SASE leader like Cato Networks has become a critical part of modern organizations’ response to remote work, cloud migration initiatives, and the overall continued growth of SaaS applications required to run businesses efficiently,” said Drew Horn, Senior Director of Technology Alliances, Sumo Logic. “We’re excited to partner with Cato Networks and enable our joint customers the ability to effectively ensure compliance and more quickly investigate potential threats across their applications, infrastructure and digital workforce.” (Click here for more information about the Sumo Logic integration.) Partners and Enterprises Can Easily Integrate Cato SASE Cloud into Their Infrastructure To learn more about how to integrate with Cato, check out our technical information about the Cato API here.  For a list of third-party integrations with Cato, see this page.

SSE Is a Proven Path for Getting To SASE

Modern enterprise complexity is challenging cybersecurity programs. With the widespread adoption of cloud services and remote work, and the broadening distribution of applications and employees... Read ›
SSE Is a Proven Path for Getting To SASE Modern enterprise complexity is challenging cybersecurity programs. With the widespread adoption of cloud services and remote work, and the broadening distribution of applications and employees away from traditional corporate locations, organizations require a more flexible and scalable approach to network security. SASE technology can help address these issues, making SASE adoption a goal for many organizations worldwide. But adoption paths can vary widely. To get an understanding of those adoption paths, and the challenges along the way, the Enterprise Strategy Group surveyed nearly 400 IT and cybersecurity professionals to learn of their experiences. Each survey respondent is in some way responsible for evaluating, purchasing, or managing network security technology products and services. One popular strategy is to ease into SASE by starting with security service edge (SSE), a building block of SASE which integrates security capabilities directly into the network edge, close to where users or devices connect. Starting with SSE necessitates having an SSE provider with a smooth migration path to SASE. Relying on multiple vendors leads to integration challenges and deployment issues. The survey report, SSE Leads the Way to SASE, outlines the experiences of these security adopters of SSE/SASE. The full report is available free for download. Meanwhile, we’ll summarize the highlights here. Modernization Is Driving SASE Adoption At its core, SASE is about the convergence of network and security technology. But even more so, it’s about modernizing technologies to better meet the needs of today’s distributed enterprise environment. Asked what’s driving their interest in SASE, respondents’ most common response given is supporting network edge transformation (30%). This makes sense, considering the network edge is no longer contained to branch offices. Other leading drivers include improving security effectiveness (29%), reducing security risk (28%), and supporting hybrid work models (27%). There are numerous use cases for SASE The respondents list a wide variety of initial use cases for SASE adoption—everything from modernizing secure application access to supporting zero-trust initiatives. One-quarter of all respondents cite aligning network and security policies for applications and services as their top use case. Nearly as many also cite reducing/eliminating internet-facing attack surface for network and application resources and improving remote user security. The report groups the wide variety of use cases into higher level themes such as improving operational efficiency, supporting flexible work models, and enabling more consistent security. [boxlink link="https://www.catonetworks.com/resources/enterprise-strategy-group-report-sse-leads-the-way-to-sase/"] Enterprise Strategy Group Report: SSE Leads the Way to SASE | Get the Report [/boxlink] Security Teams Face Numerous Challenges One-third of respondents say that an increase in the threat landscape has the biggest impact on their work. This is certainly true as organizations’ attack surfaces now extend from the user device to the cloud. The Internet of Things and users’ unmanaged devices pose significant challenges, as 31% of respondents say that securely connecting IoT devices in our environment is a big issue, while 29% say it’s tough to securely enable the use of unmanaged devices in our environment. 31% of respondents are challenged by having the right level of security knowledge, skills, and expertise to fight the good fight. Overall, 98% of respondents cite a challenge of some sort in terms of securing remote user access to corporate applications and resources. More than one-third of respondents say their top remote access issue is providing secure access for BYOD devices. Others are vexed by the cost, poor security, and limited scalability of VPN infrastructure. What’s more, security professionals must deal with poor or unsatisfactory user experiences when having to connect remotely. Companies Ease into SASE with SSE To tame the security issues, respondents want a modern approach that provides consistent, distributed enforcement for users wherever they are, as well as a zero-trust approach to application access, and centralized policy management. These are all characteristics of SSE, the security component of SASE. Nearly three-quarters of respondents are taking the path of deploying SSE first before further delving into SASE. SSE is not without its challenges, for example, supporting multiple architectures for different types of traffic, and ensuring that user experience is not impacted. Ensuring that traffic is properly inspected via proxy, firewall, or content analysis and in locations as close to the user as possible is critical to a successful implementation. ESG’s report outlines the important attributes security professionals consider when selecting an SSE solution. Top of mind is having hybrid options to connect on-premises and cloud solutions to help transition to fully cloud-delivered over time. Respondents Outline Their Core Security Functions of SSE While organizations intend to eventually have a comprehensive security stack in their SSE, the top functions they are starting with are: secure web gateway (SWG), cloud access security broker (CASB), zero-trust network access (ZTNA), virtual private network (VPN), SSL decryption, firewall-as-a-service (FWaaS), data loss prevention (DLP), digital experience management (DEM), and next-generation firewall (NGFW). Turning SSE into SASE is the Goal While SSE gets companies their security stack, SASE provides the full convergence of security and networking. And although enterprise IT buyers like the idea of multi-sourcing, the reality is that those who have gone the route of multi-vendor SASE have not necessarily done so by choice. A significant number of respondents say they simply feel stuck with being multi-vendor due to lock-in from recent technology purchases, or because of established relationships. Despite the multi-vendor approach some companies will take, many of the specific reasons respondents cite for their interest in SSE would be best addressed by a single-vendor approach. Among them are: improving integration of security controls for more efficient management, ensuring consistent enforcement and protection across distributed environments, and improving integration with data protection for more efficient management and operations—all of which can come about more easily by working with just one SSE/SASE vendor. It eliminates the time and cost of integration among vendor offerings and the “finger pointing” when something goes wrong. Even Companies in Early Stages are Realizing Benefits Most respondents remain in the early stages of their SSE journey. However, early adopters are experiencing success that should help others see the benefits of the architecture. For example, 60% say that cybersecurity has become somewhat or much easier than it was two years ago. Those who have started the SASE journey have realized benefits, too. Nearly two-thirds report reduced costs across either security solutions, network solutions, security operations, or network operations. Similarly, 62% cite efficiency benefits of some kind, such as faster problem resolution, ease of management, faster onboarding, or reduction in complexity. Proof points like these should pique the interest of any organization thinking about SASE and SSE. View the full survey report, SSE Leads the Way to SASE, here.

Networking and Security Teams Are Converging, Says SASE Adoption Survey 

Converging networking with security is fundamental to creating a robust and resilient IT infrastructure that can withstand the evolving cyber threat landscape. It not only... Read ›
Networking and Security Teams Are Converging, Says SASE Adoption Survey  Converging networking with security is fundamental to creating a robust and resilient IT infrastructure that can withstand the evolving cyber threat landscape. It not only protects sensitive data and resources but also contributes to the overall success and trustworthiness of an organization.   And just as technologies are converging, networking and security teams are increasingly working together. In our new 2023 SASE Adoption Survey, nearly a quarter (24%) of respondents indicate security and networking are being handled by one team.    For those with separate teams, management is focusing on improving collaboration between networking and security teams. In some cases (8% of respondents), this takes the form of creating one networking and security group. In most cases, (74% of respondents) indicate management has an explicit strategy that teams must either work together or have shared processes.  The Advantages of Converging the Networking and Security Teams  When network engineers and security professionals work together, they share knowledge and insights, leading to improved efficiency and effectiveness in addressing network security challenges.  By integrating networking and security functions, companies can gain better visibility into network traffic and security events. Networking teams possess in-depth knowledge of network infrastructure, which security researchers often lack. By providing security teams with network information, organizations can hunt and remediate threats more effectively.  [boxlink link="https://www.catonetworks.com/resources/unveiling-insights-2023-sase-adoption-survey/"] Unveiling Insights: 2023 SASE Adoption Survey | Get the Report [/boxlink] Closer collaboration enables quicker and more effective incident resolution, reducing the impact of cyber threats on business operations. Furthermore, by working together, the organization can optimize the performance of network resources while maintaining robust security measures, providing a seamless user experience without compromising protection.   There are other benefits, too, like streamlined operations, faster incident response, a holistic approach to risk management, and cost savings. All these advantages of a converged team help organizations attain a stronger security posture.  There’s a Preference for One Team, One Platform  Bringing teams together also enables the organization to implement security measures during network design and configuration, ensuring that security is an inherent part of the network architecture from the beginning.    Many organizations today (68%) use different platforms for security and networking management and operations. However, most (76%) believe that using just one platform for both purposes would improve collaboration between the networking and security teams. More than half also want a single data repository for networking and security events.  The preference for security and networking to work together extends to SASE selection. Which team leads on selecting a SASE solution—the networking or the security team? In most cases, it’s both.   When it comes to forming a SASE selection committee, about half (47% of respondents) say it’s a security team project with the networking team involved as necessary. Another 39% flip that script, with the networking team leading the project and involving the security team to vet the vendors.   As the teams come together, it makes great sense they would prefer to use a single, unified platform for their respective roles. Most respondents (62%) say having a single pane of glass for managing security and networking is an important SASE purchasing factor. More than half (54%) also want a single data repository for networking and security events.  Security and Networking Team Convergence Calls for Platform Convergence  Regardless, an effective SASE platform needs to accommodate the needs of all organizational structures whether teams are distinct or together. Essential in that role is rich role-based access control (RBAC) that allows granular access to various aspects of the SASE platform. In this way, IT organizations can create roles that reflect their unique structure – whether teams are converged or distinct. (Cato recently introduced RBAC+ for this reason. You can learn more here.)  As for SASE adoption, a single vendor approach was the most popular (63% of respondents). Post deployment would those who deployed SASE stay with the technology? The vast major (79% of respondents) say, “Yes.”   Additional finding from the survey shed light on   Future plans for remote and hybrid work   Current rate of SASE adoption  How to ensure security and performance for ALL applications  ..and more. To learn more, download the report results here. 

The New Network Dictionary: AvidThink Explains SASE, SD-WAN, SSE, ZTNA, MCN, and NaaS  

The enterprise networking and security market has seen no end to terms and acronyms. SASE, of course, is chief among them, but let us not... Read ›
The New Network Dictionary: AvidThink Explains SASE, SD-WAN, SSE, ZTNA, MCN, and NaaS   The enterprise networking and security market has seen no end to terms and acronyms. SASE, of course, is chief among them, but let us not forget SD-WAN, SSE, ZTNA, and Multi-Cloud Networking (MCN). Then we get into specific capabilities like CASB, DLP, SWG, RBI, FWaaS, and micro-segmentation. This alphabet soup of jargon can confuse even the most diligent and capable CISOs and CIOs, especially when vendors continually redefine and reclassify each category to fit their needs.  AvidThink,  an independent research and analysis firm, set out to fix that problem. The firm produced the “Enterprise Edge and Cloud Network” report that defines and contextualizes these concepts and terms.  AvidThink founder and report author, Roy Chua, lays out the universal network fabric (UNF) -- the grand theoretical architectural model for how enterprises can seamlessly integrate disparate enterprise networking resources while providing a consistent and secure connectivity experience across all endpoints.   He correctly understands that no longer can networking and security stand apart:  “Traditional security measures are proving inadequate in the face of sophisticated threats, forcing organizations to seek security-centric network solutions. Integrating advanced security features directly into network architectures is now a critical requirement. Strong CISO interest in SASE, SSE, and ZTNA is evidence of this sentiment.”  And he correctly identifies that to address this need SD-WAN vendor are trying to remake themselves into SASE vendor:   “...all leading SD-WAN vendors are upgrading to becoming SASE solutions” or partnering with SSE vendors to deliver SASE as a response “...to customer demands for protection from an increasing number of cyberattacks, and to further simplify the messy collection of point products across customer remote and campus sites.”  AvidThink Sees Cato as the SASE Pioneer  But while numerous vendor market themselves as SASE vendors, Cato stands out: “...To be fair to Cato Networks, they were already espousing elements of the SASE architecture years before the SASE umbrella term was coined.”   With that four-year head start (SASE was defined in 2019), Cato’s been able to do SASE right. We didn’t cobble together products and slap on marketing labels to capitalize on a new market opportunity. We build a fully converged, cloud-native, single-pass SASE architecture that today spans 80+ Cato -owned and -operated PoP locations servicing 140+ countries and interconnected by our global private backbone.   [boxlink link="https://www.catonetworks.com/resources/enterprise-strategy-group-report-sse-leads-the-way-to-sase/"] Enterprise Strategy Group Report: SSE Leads the Way to SASE | Get the Report [/boxlink] It’s this fully single–vendor, converged approach that’s so critical. As Chua reports hearing from one of our customers, “We believe in Cato’s single-vendor clean-slate architecture because it brings increased efficiency and we’re not bouncing between multiple vendors.”  SASE Is About Convergence Not Features  Cato did help sponsor the report, but it doesn’t mean we agree entirely with the author. If there's a weakness in the report, and every report has to stop somewhere, it’s in this area – the centrality of convergence to SASE. As we’ve mentioned many times in this blog, the individual components of SASE -- SD-WAN, NGFW, SWG, ZTNA, and more – have been around for ages. What hasn’t been around is the convergence of these capabilities into a global cloud-native platform.   Converging SASE capabilities enables better insight where networking information can be used to improve security analytics. Convergence also improves usability as enterprises finally gain a true single-pane-of-glass for a management console where objects are created once, and policies are unified, not the kind of “converged” console where when you dig a level deeper you find a new management console needs to be launched with all its own objects and policies.   And its convergence into a single-pass, cloud-native platform, which means optimum performance everywhere and deploying more infrastructure nowhere. All security processing can now be done in parallel at line rate. There are no sudden upgrades to branch or datacenters appliances when traffic levels surge or more capabilities are enabled. And since all the heavy “lifting” runs in the clouds, little or no additional infrastructure is needed to connect users, sites, or cloud resources.  It’s this convergence that’s allowed Cato customers to instantly respond to new requirements, like Juki ramping up its 2742 mobile users or Geosyntec adding 1200+ remote users worldwide in about 30 minutes both in response to COVID. It’s convergence that allows one person to efficiently manage the security and networking needs of companies on the scale of a Fortune 500 company. Convergence IS the story of SASE.   To read the report, download it from here.  

Carlsberg Selects Cato, the “Apple of Networking,” for Global SASE Deployment 

Today, we announced that Carlsberg, the world-famous brewer, has selected Cato SASE Cloud for its global deployment. It’s a massive SASE deployment spanning 200+ locations... Read ›
Carlsberg Selects Cato, the “Apple of Networking,” for Global SASE Deployment  Today, we announced that Carlsberg, the world-famous brewer, has selected Cato SASE Cloud for its global deployment. It’s a massive SASE deployment spanning 200+ locations and 25,000 remote users worldwide, replacing a combination of MPLS services, VPN services, SD-WAN devices, remote access VPNs, and security appliances.   The mix of technologies meant that Carlsberg faced the operational problems associated with building and maintaining different service packages.  “Some users would receive higher availability and others better capabilities, but we couldn't bring it all together to create an à la carte set of services that could apply to any office anywhere and facilitate our global IT development," says Laurent Gaertner, Global Director of Networks at the Carlsberg Group.   With Cato, Carlsberg expects to do just that -- deliver a standard set of network and security services everywhere. Carlsberg will be replacing MPLS, VPN, and SD-WAN services with Cato SASE Cloud and Cato’s global private backbone. Remote VPN services will be replaced with Cato ZTNA. And the mix of security appliances will be replaced with the security capabilities built into Cato SASE Cloud.   All of this is possible because every Cato capability is available everywhere in the world. While our competitors talk about certain PoPs holding some capabilities but not others, Cato delivers the full scope of Cato SASE Cloud capabilities from all 80+ PoP locations worldwide, servicing 150+ countries. Chances are that wherever your users are located, Cato SASE Cloud can connect and secure them.   The Apple of Networking Makes Deployment Easy  Normally, the complexity of such a project would be daunting. Large budgets and many months would be spent assessing, deploying, and then integrating various point products and solutions.  Not so with Cato.   With Cato SASE Cloud, there’s one product to select, deploy, and manage – the Cato SASE Cloud. “Owning all of the hardware makes Cato so much simpler to deploy and use than competing solutions," says Tal Arad, Vice President of Global Security & Technology at Carlsberg. "We started referring to them as the Apple of networking.”  With rapid deployment possible, Cato helps Carlsberg get value out SASE faster.   Nor is Carlsberg alone in that view. In February 2023, Häfele, a German family enterprise based in Nagold, Germany, suffered a severe ransomware attack forcing the company to shut down its computer systems and disconnect them from the internet. At the time, Häfele was in an RFP process to select a SASE vendor with Cato being one of the candidates.  [boxlink link="https://www.catonetworks.com/resources/cato-sase-cloud-identified-as-a-leader-download-the-report/"] Cato SASE Identified as a “Leader” in GigaOm Radar report | Get the Report [/boxlink] Instead of paying the ransom, the Häfele team turned to Cato. Over the next four weeks, Häfele worked with Cato and restored its IT systems, installing Cato Sockets at 180+ sites across 50+ widely dispersed countries such as Argentina, Finland, Myanmar (Burma), and South Africa. “The deployment speed with Cato SASE Cloud was a game changer,” said Daniel Feinler, CISO, Häfele. “It was so fast that a competing SASE vendor didn’t believe us. Cato made it possible.”  The strategic benefits of being able to rapidly deliver a consistent set of services worldwide can’t be overemphasized. IT leaders have long realized the value of a single service catalog to offer the departments and business units they service. In theory, this would streamline service delivery and simplify management. Solutions could be fully tested and approved and then rolled out across the enterprise as necessary. Operational costs would be reduced by standardization.   Practically, though, worldwide service catalogs are frustrated by regional differences. MPLS services aren’t available everywhere so they can’t be applied to all offices. Even where MPLS services are available, their high costs may be difficult to justify for smaller offices and certainly for today’s home offices. Delivering security appliances also isn’t always possible, particularly when we’re speaking about securing remote users not sites. The end result? What IT thought was to be a standardized set of services and capabilities accumulates so many differences that the exception becomes the new standard.   With Cato’s ubiquity and ability to connect any edge, anywhere enables true service standardization. No matter the type of site or location of remote user, a standard set of security and networking services can be provided. With one set of proven services, IT can immediately reduce its operational overhead from having to kludge together custom solutions for every region – and worse – every site.   To learn more about the Carlsberg deployment, read the press release here.  

Key Findings From “WAN Transformation with SD-WAN: Establishing a Mature Foundation for SASE Success”

SD-WAN has enabled new technology opportunities for businesses. But not all organizations have adopted SD-WAN in the same manner or are having the same SD-WAN... Read ›
Key Findings From “WAN Transformation with SD-WAN: Establishing a Mature Foundation for SASE Success” SD-WAN has enabled new technology opportunities for businesses. But not all organizations have adopted SD-WAN in the same manner or are having the same SD-WAN experience. As the market gravitates away from SD-WAN towards SASE, research and consulting firm EMA analyzed how businesses are managing this transition to SASE. In this blog post, we present the key findings from their report, titled “WAN Transformation with SD-WAN: Establishing a Mature Foundation for SASE Success”. You can download the entire report from here. Research Methodology For this research, EMA surveyed 313 senior IT professionals from North America on their company’s SD-WAN strategy. Most Enterprises Prefer SD-WAN as a Managed Service 66% of enterprises surveyed prefer procuring, implementing and consuming SD-WAN solutions as a managed service. Only 21% prefer a DIY approach, and the rest are still determining their preference. EMA found that SD-WAN as a managed service provides organizations with network assurance, integration with other managed services, cost savings and the ability to avoid deployment complexity, among other benefits. The organizations that prefer the DIY approach, on the other hand, wish to maintain control to customize as they see fit. They also view the DIY approach as more cost-effective and as an opportunity to leverage the strengths of their internal engineering team. Less Than Half of Enterprises Prefer a Single-Vendor SD-WAN  49% of enterprises surveyed used or planned to use only one SD-WAN vendor, nearly 44% preferred a multi-vendor approach, while the rest were undecided. According to the surveyed personnel, a multi-vendor approach was chosen due to functionality requirements, the nature and requirements of their sites, and the independent technology strategies of different business units, among other reasons. Critical SD-WAN Features Not all SD-WAN features were created equal. The most critical SD-WAN features are hybrid connectivity, i.e the ability to forward traffic over multiple network connections simultaneously (33.9%), integrated network security (30%), native network and application performance monitoring (28.8%), automated, secure site to-site connectivity (27.5%), application quality of service (24.3%), and centralized management and control, either cloud-based or on-premises (23.3%). [boxlink link="https://www.catonetworks.com/resources/new-ema-report-wan-transformation-with-sd-wan-establishing-a-mature-foundation-for-sase-success/"] NEW EMA Report: Establishing a Mature Foundation for SASE Success | Download the Report [/boxlink] SD-WAN Replaces MPLS The internet has become a primary means of WAN connectivity for 63% of organizations. Almost all the other surveyed organizations actively embracing this trend. This shift impacts the use of MPLS, with the internet is being leveraged more often to boost overall bandwidth. However, security remains a top concern, with 34.5% of surveyed enterprises viewing security as the biggest challenge for using the internet as their primary WAN connectivity. This is followed by the complexity of managing multiple ISP relationships (25.9%), and lack of effective monitoring/visibility (19.2%). Operations and Observability 88.5% of surveyed enterprises are either satisfied or somewhat satisfied with their SD-WAN solutions’ native monitoring features. The main challenges revolve around granularity of data collection (32.3%), lack of data retention (30%), lack of relevant security information (28.4%), no drill downs (25.6%) and data formatting problems (25.6%). Perhaps this is why 72.5% of surveyed enterprises use, or plan to use, third-party monitoring tools. WAN Application Performance Issues Organizations are struggling with the performance on their WANs. The most common problems were: Bandwidth limitations (38.7%) Latency (38.3%) Cloud outages (38.3%) ISP congestion (32.9%) Packet loss (25.9%) Policy misconfiguration (25.6%) Jitter (13.4%) EMA found that cybersecurity teams were more likely to perceive bandwidth limits as a problem than network engineering teams. In addition, IT governance and network operations teams were more likely to mention cloud outages as a problem and the largest companies reported latency issues as their biggest problem. Only 38% of Enterprises Believe They’ve Been Successful with SD-WAN How do enterprises perceive their success with SD-WAN? Only 38% believe they’ve been successful and nearly 50% report being somewhat successful. Perhaps this could be the result of the SD-WAN business and technology challenges they are facing - a skills gap (40.9%), lack of defined processes and best practices (40.9%), vendor issues (36.7%), implementation complexity (26.2%) and integrating with the existing security architecture and policies (24%). Integrating SD-WAN with SSE There are a few paths an organization can take on their way to SASE. 54% of surveyed enterprises prefer adding SSE to their SD-WAN solution. Nearly 31% prefer expanding SD-WAN capabilities to achieve SASE and the rest prefer adapting SASE all at once or are still evaluating. In addition, EMA found that a mature SD-WAN foundation helped make the transition to SASE a smoother experience. Transitioning to SASE EMA views SD-WAN as “the foundation of SASE, which appears to be the future of networking and security.” Yet, enterprises are still unsure about their path to SASE and how to achieve it. Per EMA, a firm SD-WAN foundation is key for a successful SASE transition, and organizations should strive to deploy a strong SASE solution. To read the complete report, click here.

Cato’s 5 Gbps SASE Speed Record is Good News for Multicloud and Hybrid Cloud Deployments

In the original Top Gun movie, Tom Cruise famously declared the words, “I feel the need! The need for speed!”. At Cato Networks, we also... Read ›
Cato’s 5 Gbps SASE Speed Record is Good News for Multicloud and Hybrid Cloud Deployments In the original Top Gun movie, Tom Cruise famously declared the words, “I feel the need! The need for speed!”. At Cato Networks, we also feel the need for speed, and while we’re not breaking the sound barrier at 30,000 feet, we did just break the SASE speed barrier (again!). (We’re also getting our taste for speed through our partnership with the TAG Heuer Porsche Formula E Team, where Cato’s services ensure that Porsche has a fast, reliable, and secure network that’s imperative for its on-track success.)  Earlier last month, we announced that Cato reached a new SASE throughput record, achieving 5 Gbps on a single encrypted tunnel with all security inspections fully enabled. This tops our previous milestone of up to 3 Gbps per tunnel.  The need for 5 Gbps is happening on the most intensive, heavily used network connections within the enterprise, such as connections to data centers, between clouds in multi-cloud deployments, or to clouds housing shared applications, databases, and data stores in hybrid clouds. Not all companies have the need for 5 Gbps connections, but for large organizations that do have that need, it can make a significant difference in performance.  Only a Cloud-Delivered SASE Solution Can Offer Such Performance  The improved throughput underscores the benefits of Cato’s single-vendor, cloud-native SASE architecture. We were able to nearly double the performance of the Cato Socket, Cato’s edge SD-WAN device, without requiring any hardware changes – or anything at all, for that matter – on the customer’s side.  This big leap in performance was made possible through significant improvements to the Cato Single Pass Processing Engine (SPACE) running across the global network of Cato PoPs. The Cato SPACE handles all routing, optimization, acceleration, decryption, and deep packet inspection processing and decisions. Putting this in “traditional” product category terms, a Cato SPACE includes the capabilities of global route optimization, WAN and cloud access acceleration, and security as a service with next-generation firewall, secure web gateway, next-gen anti-malware, and IPS.   [boxlink link="https://www.catonetworks.com/resources/single-pass-cloud-engine-the-key-to-unlocking-the-true-value-of-sase/"] Single Pass Cloud Engine: The Key to Unlocking the True Value of SASE | Download the White Paper [/boxlink] These capabilities are the compute-intensive operations that normally degrade edge appliance performance—but Cato performs them in the cloud instead. All the security inspections and the bulk of the packet processing are conducted in parallel in the Cato PoP by the SPACE technology and not at the edge, like in appliance-based architectures. Cato Sockets are relatively simple with just enough intelligence to move traffic to the Cato PoP where the real magic happens.  The improvements enhanced Cato SPACE scalability, enabling the cloud architecture to take advantage of additional processing cores. By processing more traffic more efficiently, Cato SPACE can inspect and receive more traffic from the Cato Sockets. What’s more, all Cato PoPs run the exact same version of SPACE. Any existing customer using our X1700 Sockets – the version meant for data centers – will now automatically benefit from this performance update.  By contrast, competitors’ SASE solutions implemented as virtual machines in the cloud or modified web proxies remain limited to under 1 Gbps of throughput for a single encrypted tunnel, particularly when inspections are enabled. It’s just an added layer of complexity and risk that doesn’t exist in Cato’s solution.  New Cross-Connect Capabilities Enable High-Speed Cloud Networking Worldwide  Cato is also better supporting multicloud and hybrid cloud deployments by delivering 5 Gbps connections to other cloud providers. The new Cato cross-connect capability in our PoPs enables private, high-speed layer-2 connections between Cato and any other cloud provider connecting to the Equinix Cloud Exchange (ECX) or to Digital Reality. This is done by mapping a VLAN circuit from the customer’s Cato account to the customer’s tenant in the other cloud provider.  The new cross-connect enables a reliable and fast connection between our customers’ cloud instances and our PoPs that is entirely software-defined and doesn’t require any routers, IPsec configuration, or virtual sockets.  The high-speed cross-connect will be a real enabler for those enterprises with a multicloud or hybrid cloud environment, which, according to the Flexera 2023 State of the Cloud Report, is 87% of organizations. Companies need encrypted, secure high throughput between their clouds or to the central data centers in their hybrid deployments.   In addition, this new service provides legacy environments the ability to use the leading-edge network security measures of the Cato SASE platform. Enterprises with MPLS or third-party SD-WAN infrastructure can now leverage Cato’s SSE capabilities without changing their underlying networks.  Cato Engineers Put Innovation to Work  The new SASE throughput speed record and the cross-connect capabilities show that innovation never rests at Cato. (In fact, GigaOm did recognize Cato as an Outperformer “based on the speed of innovation compared to the industry in general.”) We’ll continue to look for ways to apply our innovative minds to further enhance our industry-leading single-vendor, cloud-native SASE solution. 

Q&A Chat with Eyal Webber-Zvik on Cato RBI 

Today Cato Networks announced the addition of the Cato RBI to our Cato SASE Cloud platform. It is an exciting day for us and for... Read ›
Q&A Chat with Eyal Webber-Zvik on Cato RBI  Today Cato Networks announced the addition of the Cato RBI to our Cato SASE Cloud platform. It is an exciting day for us and for our customers. Why? Because Cato’s cloud-native, security stack just got better, and without any added complexity.   I sat down with Eyal Webber-Zvik, Vice President of Product Marketing and Strategic Alliances at Cato Networks, and asked him to provide his perspective on what is Cato RBI and what this means for Cato’s customers.  Why should enterprises care about RBI?  Enterprises need to care because with new websites popping up every day, they face a dilemma between the security risk of allowing employees to access uncategorized sites and the productivity and frustration impact of preventing this. With Cato RBI now integrated into our Cato SASE Cloud platform, we are giving enterprise IT teams the best of both worlds: productivity and security.    What is Cato RBI and why do enterprises need it?  Cato RBI is a security function that protects against malicious websites by running browser activity remotely from the user’s device, separating it from the web content. Cato RBI sends a safe version of the page to the device so that malicious code cannot reach it, without affecting the user experience.  Enterprises need Cato RBI to protect employees from malicious websites that are not yet blacklisted as such. When employees do reach unknown and malicious sites, Cato RBI protects the business by preventing code from running in their browsers. Cato RBI protects from human error while also saving users from the frustration of being blocked from unknown websites.  How does Cato RBI work?  An isolated browser session is set up, remote from the user’s device, which connects to the website and loads the content. Safe-rendered content is then streamed to the users’ browsers. Malicious code does not run on the user’s device and user interaction can be limited, for example, to prevent downloads.   Some solutions require that every browsing session uses RBI, but it is better invoked, when necessary, for example by a policy that is triggered when a user tries to visit an uncategorized website.   Cato RBI gives IT administrators a new option for uncategorized websites. Alongside “Block” and “Prompt,” they can now choose “Isolate.” Configuration of Cato RBI can be done in less than one minute by a customer’s IT administrator.  What if an enterprise already uses SWG, CASB, Firewall, IPS and/or anti-malware? Why do they need Cato RBI?  These solutions protect against a wide range of threats, but Cato RBI adds another important layer of protection specifically against web- and browser-based threats, such as phishing, cookie stealing, and drive-by downloads. Since Cato RBI prevents code from reaching devices, it will help protect a business against:  New attacks that are not documented.  New malicious sites that are not categorized.  User error, such as clicking on the link in a phishing email.  Cato RBI gives enterprises more peace of mind. It may allow organizations to operate a more relaxed policy on access to unknown websites, which is less intrusive and frustrating for users, who in turn will raise fewer tickets with their IT team.  What types of cyber threats does Cato RBI protect against?  Cato RBI provides protection against a wide range of browser-based attacks such as unintended downloads of malware and ransomware, malicious ads, cross-site scripting or XSS, browser vulnerabilities, malicious and exploited plug-ins, and phishing attacks.  What are the benefits of Cato RBI for enterprises and users?  There are five immediate benefits when using Cato RBI. They are:  To make web access safer by isolating malicious content from user devices.  To prevent your data from being stolen by making it more difficult for attackers to compromise user devices.  To protect against phishing email, ransomware, and malware attacks, by neutralizing the content in the target websites.  To defend against zero-day threats by isolating users from malicious websites that are new and not yet categorized.  To make users more productive by allowing them to visit websites even though they are not yet known to be safe.  Does Cato collaborate with other companies to offer Cato RBI?  Yes. We partner with Authentic8, a world leader in the field of RBI. Authentic8 is chosen by hundreds of government agencies and commercial enterprises and offers products that meet the needs of the most regulated organizations in the world. Authentic8’s RBI engine is cloud-native and globally available, and the integration into our Cato SASE Cloud is seamless and completely transparent.  Follow the links to learn more about Cato RBI, and about our SASE solution.

A sit down with Windstream Enterprise CTO on Security Service Edge

Windstream Enterprise recently announced the arrival of North America’s first and only comprehensive managed Security Service Edge (SSE) solution, powered by Cato Networks—offering sophisticated and... Read ›
A sit down with Windstream Enterprise CTO on Security Service Edge Windstream Enterprise recently announced the arrival of North America's first and only comprehensive managed Security Service Edge (SSE) solution, powered by Cato Networks—offering sophisticated and cloud-native security capabilities that can be rapidly implemented on almost any network for near-immediate ironclad protection. In the spirit of partnership, we sat down with Art Nichols, CTO of Windstream, to share insights into this SSE announcement and what this partnership brings to light.  Why did you decide to roll out SSE?   We are excited to expand upon our single-vendor security offerings with the launch of this single-vendor cloud-native SSE solution, powered by Cato Networks. This SSE architecture delivers near immediate and cost-effective ways for clients to protect their network, and the users and resources attached to it. It also supports the expanded remote access to cloud-based applications that customers and employees alike must utilize.   By rolling out SSE to our customers, our ultimate goal is to provide them with a seamless journey towards improving their organization's security posture. Most IT leaders are aware that in this era of constant digital change, businesses must make room for greater cloud migration, rising remote work demands and new security threats. SSE will help futureproof their network security by migrating away from outdated and disjointed security solutions that are limited in their ability to support customer and employee needs for greater use of cloud resources.  [boxlink link="https://www.catonetworks.com/resources/cato-sse-360-finally-sse-with-total-visibility-and-control/"] Cato SSE 360: Finally, SSE with Total Visibility and Control | Download the White Paper [/boxlink] Why did you choose Cato's SSE platform?   Partnering with Cato Networks was no doubt the right decision for Windstream Enterprise. While we considered multiple technology partners, Cato's solution was the only fully unified cloud-native solution. This architecture enables businesses to eliminate point solutions and on-premises devices by integrating the best available security components into their existing network environments without disruption. This partnership allowed us to enter the Secure Access Service Edge (SASE) and SSE market fast and be a key part of it as security needs continue to rapidly evolve.   Cato Networks is different from the competition because it was built to be a cloud-native SASE solution. As such, Cato's technology offers a better customer experience with greater visibility across the platform, as well as artificial intelligence that can swiftly evaluate all security layers and provide a faster resolution to security breaches and vulnerabilities.   Partnering with Cato has given us quite a competitive edge—and it's not just about the technology (although it's a big part of it); we feel that we get the unique opportunity to partner with the inventor of a true 360-degree SASE platform. Cato's SSE solution pairs perfectly with our professional services and market-leading service portfolio—backed by our industry-first service guarantees and our dedicated team of cybersecurity experts. We could not be more pleased with this partnership and look forward to what the future will bring.  You're already offering SASE, powered by Cato Networks. How will this be different?   SSE is a subset to SASE, which is meant to describe the convergence of cloud security functions. SASE takes a broader and more holistic approach to secure and optimized access by addressing both optimization of the user experience and securing all access and traffic against threats, attacks, and data loss.   What we've announced has similarities with a SASE solution in almost every way, but unlike SASE, an SSE solution can by overlayed onto any existing network, such as a SD-WAN, allowing it to be deployed near-immediately to secure all endpoints, users and applications. Because of this, SSE brings an added level of simplicity in that no network changes are required to implement this security framework.   What is driving the demand for solutions like SSE and SASE?  Gartner has predicted that "By 2025, 80% of organizations seeking to procure SSE-related security services will purchase a consolidated SSE solution, rather than stand-alone cloud access security broker, secure web gateway and ZTNA offerings, up from 15% in 2021." These means there are many enterprises that are, or soon will be, searching for a comprehensive SSE solution. And since security for networks, applications and data continues to be a top concern for most C-level and IT executives, there are several reasons backing the strong demand for SSE and SASE:  Cybercriminals are becoming incredibly sophisticated in the ever-expanding threat landscape, and data breaches come with high price tags that can damage brand reputations and wallets.  Legacy networks were built around physical locations that don't scale easily. because they are premises based. Premises-based disjointed point solutions from multiple vendors often require manual maintenance.  With more applications moving to the cloud, SSE is a cloud-native framework specifically built for modern work environments (hybrid and remote). It delivers a self-maintaining service that continuously enhances all its components, resulting in reduced IT overhead and allowing enterprises to shift focus to business-critical activities. It also no longer makes sense for businesses to backhaul internet traffic though data center firewalls.  What can customers gain from a managed SSE solution?  SSE is a proven way to improve an organization's security posture by establishing a global fabric that connects all edges into a unified security platform and enables consistent policy enforcement. By choosing a managed SSE solution, you get near-instant protection on any network—integrating the best available cloud-native security components from Cato Networks into your existing network environment without any disruption. Customers gain this ironclad security architecture that seamlessly implements zero trust access, ensuring that all users only have access to company-authorized applications and relentlessly defends against anomalies, cyberthreats and sensitive data loss. And with Windstream Enterprise as your managed service provider for Cato's SSE technology, you get complete visibility via our WE Connect portal, along with the opportunity to integrate this view with additional Windstream solutions, such as OfficeSuite UC® for voice and collaboration and SD-WAN for network connectivity and access management. That means one single interface to control all your IT managed services—backed by industry-first service guarantees—to create real help you succeed in your businesses, on your terms.  Not to mention, we will act as an extension of your security team—so, not only do you seamlessly integrate these security components into one comprehensive offering, but you can rely on one trusted partner to deliver it all, with white glove support from our dedicated team of Cybersecurity Operations Center (CSOC) experts. This goes along way for organizations who are looking to increase their cybersecurity investments, while also adhering to the limitations posed by the ongoing IT skills gap that is leading to shrinking IT and Security teams.    To learn more about SSE from Windstream Enterprise, powered by Cato Networks technology, visit windstreamenterprise.com/sse  

Unsolved Remote Access Challenges Continue to Propel SASE in 2023, Finds New Cato Survey

Unsolved Remote Access Challenges Continue to Propel SASE in 2023, Finds New Cato Survey  By all accounts, 2023 is expected to see strong growth in... Read ›
Unsolved Remote Access Challenges Continue to Propel SASE in 2023, Finds New Cato Survey Unsolved Remote Access Challenges Continue to Propel SASE in 2023, Finds New Cato Survey  By all accounts, 2023 is expected to see strong growth in the SASE market. Gartner has already predicted in The Top 5 Trends in Enterprise Networking and Why They Matter: A Gartner Trend Insight Report (subscription required) that by 2025, 50% of SD-WAN purchases will be part of a single vendor SASE offering, up from less than 10% in 2021. And in a recent audience poll at Gartner’s I&O Cloud conference, audience members were asked which of the five technologies were they most likely to invest in, 31% indicated SASE, making number two overall just behind Universal ZTNA (at 34%).   And Gartner isn’t the only one expecting SASE to perform well this year. Dell’Oro expects the SASE market to reach $8 billion in 2023. The drivers for this activity? The need for security everywhere particularly driven by hybrid work. “The internet is now a logical extension of the corporate network, and the need for security is as great as ever,” Dell’Oro Research Director Mauricio Sanchez told SDxCentral.   We couldn’t agree more. We just finished surveying more than 1661 IT leaders around 2023 SASE drivers for adoption. The survey gathered insight into their experiences with SASE and, for those who have not yet deployed SASE, the IT challenges confronting them moving forward.   What’s so striking when you look the data is the role remote access plays. More than half (51%) of respondents who have not yet adopted any kind SASE point to enabling remote access from anywhere as their number one challenge. The same is true for “Adopt zero trust security posture for all access.”   Why Remote Access VPNs Are Not the Answer for Hybrid Work   There are any number of reasons for why enterprises are looking at replacing legacy remote access solutions. “Traditional approaches anchored only to on-premises solutions at the corporate internet gateway no longer work in the new ‘anywhere, anytime, with any device’ environment that the pandemic accelerated, SDxCentral quoted Sanchez.”  [boxlink link="https://www.catonetworks.com/resources/have-it-the-old-way-or-enjoy-the-sase-way/"] Have it the Old Way or Enjoy the SASE Way | Download the White Paper [/boxlink] More specifically, legacy VPNs suffer from five key problems:   Scaling and capacity Issues. VPN servers have a limited amount of capacity, as more users connect, performance degrades, and the user experience suffers.  To increase VPN server capacity, IT must deploy new appliances or upgrade existing ones. Security and performance optimization challenges requires additional appliances to be purchased, deployed, and integrated, which only increases network complexity.  Lack of granular security controls. Generally, point solutions restrict access at the network-level. Once a user authenticates, they have network access to everything on the same subnet. This lack of granular security and visibility creates a significant risk and leaves gaps in network visibility.  Poor performance. All too often, remote users complain about their sluggishness of corporate application when access remotely. Part of that is an architecture issue, particularly when traffic needs to brought back to an inspection point, adding latency to the session. VPN traffic is also susceptible to the unpredictability and latency of Internet routing.   Rotten user experience. Remote users struggle with connecting using legacy VPN software. Too many parameters have to be configured to connect properly.  Where once this might have been tolerated by a small subset of remote users, it becomes a very different story when the entire workforce operates remotely.   Growing security risk. VPN infrastructure itself has all too frequently been the target of attack. A brief search in the MITRE CVE database for “VPN Server” shows 622 CVE records. VPN servers showed so many security vulnerabilities that CERT warned that many VPN devices were storing session cookies improperly.   It shouldn’t be surprising to learn, then, that when we asked IT leaders further down the SASE adoption curve as to what triggered their SASE transformation project, “remote access VPN refresh” was the most common response (46%)  SASE: The Answer to the Hybrid Work Challenge  SASE answers those challenges by enabling work to occur anywhere, securely and efficiently. As part of a SASE platform, remote access benefits from the scaling of a cloud-native architecture. There’s no need to add server resources to accommodate of users who suddenly need remote access. “Deployment was quick. In a matter of 30 minutes, we configured the Cato mobile solution with single-sign-on (SSO) based on our Azure AD,” says Edo Nakdimon, senior IT manager at Geosyntec Consultants, who had more than 1200 users configured for remote access in less than an hour with the Cato SASE Cloud.   Zero-trust is just part of the SSE pillar of a single-vendor SASE platform, giving IT granular control over remote user resource access. Security is improved by eliminating the VPN servers so frequently and object of attack. And remote user performance improves by inspecting traffic in the PoP right near the user’s location and then sending traffic out to other location across the SASE platform’s global optimized backbone not the unpredictable Internet.   No wonder those IT leaders who did adopt SASE, indicated they were able to address the remote access challenge. When asked, “As a SASE user what are the key benefits you got from SASE?” “Enable Remote Access from Anywhere” as the highest ranked benefit (57% of respondents) followed by “Adopt zero trust security posture for all access” at 47% of respondents.    All of which makes remote access a “quick win” for anyone looking to deploy SASE.  

Cato SASE Cloud’s “Innovation” and “Platform Play” Earn “Leader” and “Outperformer” Status in GigaOm SD-WAN Radar Report

Today we announced that Cato Networks was named a “Leader” and “Outperformer” by GigaOm in the analyst firm’s Radar for SD-WAN Report. This is our... Read ›
Cato SASE Cloud’s “Innovation” and “Platform Play” Earn “Leader” and “Outperformer” Status in GigaOm SD-WAN Radar Report Today we announced that Cato Networks was named a “Leader” and “Outperformer” by GigaOm in the analyst firm’s Radar for SD-WAN Report. This is our first year to be included in the report and already we shot to the top of the leader’s circle, underscoring the strength and maturity of Cato SD-WAN and showing the importance of considering SD-WAN as part of a broader SASE offering.  The report evaluates 20 notable SD-WAN vendors, including Cisco, Fortinet, Versa Networks, Juniper, Palo Alto, VMware, and others. Of all these SD-WAN providers, Cato Networks is the only one rated as Exceptional in all the key criteria considered to be differentiators among the providers as well as the primary features for customers to consider as they compare solutions.  Figure 2: Only Cato scored “Exceptional” across every one of GigaOm’s Key Criteria  GigaOm: Cato’s SD-WAN Is “Easier to Maintain and Scale” The report highlights Cato’s unique cloud-based approach to delivering SD-WAN as a real differentiator that makes a software-defined wide area network easier to maintain and scale for business needs.  “Cato SASE Cloud is a converged cloud-native, single-pass platform connecting end-to-end enterprise network resources within a secure global service managed via a single pane of glass,” says the report. “By moving processing into the cloud using thin edge Cato Sockets, Cato SASE Cloud is easier to maintain and scale than competitive solutions, with new capabilities instantly available. Leveraging an expanding global SLA-backed network of over 75 PoPs, Cato is the only SD-WAN vendor currently bundling a global private backbone with its SD-WAN. Moreover, Cato offers both a standalone SD-WAN solution and a security service edge solution – Cato SSE 360 – for securing third-party SD-WAN devices.” [boxlink link="https://www.catonetworks.com/resources/gigaoms-evaluation-guide-for-technology-decision-makers/?utm_source=blog&utm_medium=top_cta&utm_campaign=gigaom_report"] GigaOm’s Evaluation Guide for Technology Decision Makers | Report [/boxlink] Cato Is a Strong “Platform Play” with “Innovation” The report places Cato as the only vendor with a strong “Platform Play” and “Innovation” in features. According to the report, “Positioning in the Platform Play quadrant indicates that the vendor has a fully integrated solution – usually built from the ground up – at the functional level.” The report additionally recognizes Cato as an Outperformer “based on the speed of innovation compared to the industry in general.” GigaOm calls Cato “a vendor to watch” for its innovation. Read the GigaOm report for yourself to see why Cato SASE Cloud is the leader of the SD-WAN pack.

Gartner’s Market Guide to Single-Vendor SASE Offerings: The Closest Thing You’ll Get to a SASE Magic Quadrant

Ever since Secure Access Service Edge (SASE) was adopted by every significant networking provider and network security vendor, IT leaders have been waiting for a... Read ›
Gartner’s Market Guide to Single-Vendor SASE Offerings: The Closest Thing You’ll Get to a SASE Magic Quadrant Ever since Secure Access Service Edge (SASE) was adopted by every significant networking provider and network security vendor, IT leaders have been waiting for a Gartner SASE Magic Quadrant. And for good reason. The industry has seen widely different approaches to what’s being marketed as SASE. Some companies partnered with each other to offer a joint solution with slightly integrated products. For example, Zscaler and any number of SD-WAN partners. Others simply rebranded their existing solutions as SASE. Think VMware SD-WAN (previously VeloCloud) turning into VMware SASE. Market consolidation has brought together still other companies with disparate services requiring years’ worth of integration. As an example, consider HPE, Aruba and Silver Peak and the integration work ahead of them to make a cohesive SASE product. Meanwhile, we at Cato Networks chose a different path: to build a fully converged, global networking and security solution from the ground up. Gartner calls this “single-vendor SASE.” A SASE Magic Quadrant would clear up the confusion in the industry and separate the leaders from losers. But while Gartner may not yet be ready to issue a SASE Magic Quadrant, the firm has issued the next best thing -- Market Guide for Single-Vendor SASE. The report takes a close look at the SASE market and specifically at single-vendor SASE. The Single-Vendor SASE Market is Projected to Grow Substantially Gartner defines a single-vendor SASE offering as one that delivers converged network and security as-a-service capabilities using a cloud-centric architecture. Cato is the prototypical single-vendor SASE leader. Example services that are part of a single-vendor SASE offering are SD-WAN, SWG, FWaaS, ZTNA, and CASB. All of those service, and this is key, are fully converged together in the underlying architecture, service delivery, and management interface. They truly are one cloud service, which is what separate single-vendor SASE from other approaches.  These converged services might also be the full roster of capabilities for the newest single-vendor SASE entries but they are only the starting point for Cato. In addition to those services, Cato also offers a global private backbone, data loss prevention (DLP), rapid CVE mitigation, managed threat detection and response, SaaS optimization, UC and UCaaS optimization, and a range of other capabilities.  According to Gartner, there should be rapid growth in single-vendor SASE implementation in the next few years. While only 10% of deployments were single-vendor SASE solution last year, Gartner expects a third of all new SASE deployments by 2025 to be single-vendor. By the same timeframe, half the new SD-WAN purchases will be part of a single-vendor SASE offering. The market’s growth is largely being driven by the desire for simplicity by reducing the number of deployed solutions and vendors. Of course, reducing complexity while still offering enterprise-class capabilities is something Cato has been delivering for years.  [boxlink link="https://www.catonetworks.com/resources/gartner-market-guide-for-single-vendor-sase/?utm_medium=blog_top_cta&utm_campaign=gartner_single_vendor_sase"] Gartner® Market Guide for Single-Vendor SASE | Report [/boxlink] Cato Was Ahead of Its Time in This “Adolescent” Market  “A single-vendor SASE must own or directly control (OEM, not service chain with a partner) each of the capabilities in the core category,” according to the report authors. A “well-architected” solution must have all services fully integrated, a single unified management plane and a single security policy, a unified and scalable software-based architecture, and flexibility and ease of use. The report lists core functional requirements in each of the areas of secure web gateway, cloud access security broker, zero trust network access, and software-defined WAN. Gartner points out that there are several vendors in the “adolescent” industry that meet the analyst firm’s minimum requirements. There are more, still, that come close but aren’t quite there with their offerings. Because single-vendor SASE brings together networking and security into one solution with many functions, Gartner recommends that a joint team of network professionals and security experts be appointed to evaluate the solutions based on the organization’s foremost needs. Single-Vendor SASE Has Lots of Benefits The benefits of single-vendor SASE are many. Gartner cites the following as reasons to go this route for a SASE solution:  An improved security posture for the organization – This is based on reduced complexity of the various security functions, a single policy enforced everywhere, and a smaller attack surface. Better use of network and security staff – Deployment times are reduced, fewer skills and resources are needed to manage a unified platform, a single policy is applied throughout the various security functions, and redundant activities go away. Improved experiences for users and system administrators – Performance issues such as latency and jitter are easier to tame or eliminate, it’s easier to diagnose issues end-to-end, and there is a single repository for logs and other event data. Of course, implementing such a solution can have its challenges as well—like how to deal with organizational siloes, and what to do about existing IT investments. Global coverage can be an issue for the early-stage vendors. Fortunately, Cato has extensive coverage with 75+ PoPs around the world today. Gartner says solution maturity can be an issue, but that’s mainly a problem for the neophyte vendors. With more than 8 years in the single-vendor SASE business behind us, Cato is one of – if not the – most mature vendor in the market. Gartner Offers Recommendations As with all Gartner guides, the research firm has recommendations pertaining to strategy and planning, evaluation, and deployment: Establish a cross-functional team including people from both networking and security to increase the potential for a successful implementation. Evaluate single-vendor SASE against the backdrop of multi-vendor and managed offerings to determine which method would provide the most flexibility. “Choose single-vendor SASE offerings that provide single-pass scanning, single unified console and data lake covering all functions to improve user experience and staff efficacy.” (Spoiler alert: Cato provides all of these things.) Do a Proof of Concept project with real locations and real users to see how well an offering can meet your needs. (Cato is happy to set you up with a PoC today.) If you are looking for the most mature and feature-rich single-vendor SASE offering with the largest number of worldwide PoPs, look no further than Cato Networks. Request a demo at https://www.catonetworks.com/contact-us/.  

The 5-Step Action Plan to Becoming CISO

If you're a Security professional looking to become a CISO, then you've come to the right place. This five-step guide is your plan of action... Read ›
The 5-Step Action Plan to Becoming CISO The Path to Becoming CISO Isn't Always Linear There isn’t one definitive path to becoming a CISO. Don’t be discouraged if your career path isn’t listed above or isn’t “typical.” If your end goal is to become a CISO, then you’ve come to the right place. Keep reading for a comprehensive action plan which will guide you from your current role in IT, IS or Cybersecurity and on the path to becoming a world-class CISO. Step 1: Becoming a CISO is About Changing Your Focus The Difference Between IS, IT or Cybersecurity Roles and a CISO Role: Tactical vs. Strategic Making The Shift from Security Engineer to Future CISO The most common mistake that security engineers make when looking to become CISO is focus. To be successful as a security engineer the focus is on problem hunting. As a top-tier security professional, you must be the best at identifying and fixing vulnerabilities others can’t see. How to Think and Act Like a Future CISO While security engineers identify problems, CISOs translate the problems that security engineers find into solutions for C-suite, the CEO and the board. To be successful in the CISO role, you must be able to transition from problem-solver to a solution-oriented mindset. A common mistake when transitioning to CISO is by leading with what’s most familiar – and selling your technical competency. While understanding the tech is crucial when interfacing with the security team, it’s not the skillset you must leverage when speaking with C-suite and boards. C-suite and boards care about solutions – not problems. They must feel confident that you understand the business with complete clarity, can identify cyber solutions, and translate them in terms of business risks, profit and loss. To be successful in securing your new role, focus on leveraging cyber as a business enabler to help the business reach its targeted growth projections. The Skillset Necessary to Become a CISO Translate technical requirements into business requirements Brief executives, VPS, C-level, investors and the board Understand the business you’re in on a granular level(The company, its goals, competitors, yearly revenue generated, revenue projections, threats competitors are facing, etc.) Excellent communication: Send effective emails and give impactful presentations Balance the risk between functionality and security by running risk assessments Focus on increasing revenue and profitability in the organization Focus on a solution-oriented mindset, not an identification mindset [boxlink link="https://www.catonetworks.com/resources/cato-sse-360-finally-sse-with-total-visibility-and-control/?utm_source=blog&utm_medium=top_cta&utm_campaign_sse360"] Cato SSE 360: Finally, SSE with Total Visibility and Control | Whitepaper [/boxlink] Step 2: Getting Clear on the CISO Role: So, What Does a CISO Actually Do? Learn The CISO’s Role and Responsibilities (R&R) The CISO is essentially a translator between the security engineering team and C-suite. Step 3: Set Yourself Up for Success in the Role: Measure What Matters What you measure in your role will ultimately determine your career success. Too often CISOs set themselves up for failure by playing a zero-sum security game. This means any security incident = CISO gets fired = No one wins But successful CISOs know that cybersecurity is a delicate balancing act between ensuring security and functionality. 100% security means 0 functionality, and vice versa Strategic CISOs understand this and set themselves up for success by working with the CEO and board to minimize exposure and establish realistic KPIs of success. Establishing Your Metrics of Success in the CISO Role What makes CIOs so successful in their role? A single metric of success: 5 9s. This allows CIOs to focus on the R&R necessary to achieve this goal. Suggested CISO KPI & KPI Setting Process Run an analysis to see how many attempted attacks take place weekly at the organization, to establish a benchmark. Provide an executive report with weekly attack attempt metrics (i.e., 300.) Create a proposed benchmark of success: i.e., preventing 98% of attacks. Get management signoff on your proposed KPIs. Provide weekly reports to executives with defined attack metrics: attempted weekly attacks + prevented.(Ensuring security incidents are promptly reported to C-suite and board.) Adjust KPIs as necessary and receive management signoff. Step 4 Mind the Gap: Bridge Your Current Technical and Business Gaps Recommended Technical Education GIAC / GSEC Security Essentials CISSP (Certified Information Systems Security Professionals) OR CISM (Certified Information Security Manager) CertificationOR CISA (Certified Information System Auditor) Certification SASE (Secure Access Service Edge) Certification SSE (Security Service Edge) Certification Recommended Technical Experience At least 3-5 years in IS, Cybersecurity, Networking or IT with a strong security focus Recommended Business Education An MBA or equivalent business degree, or relevant business experience CPA or accounting courses Recommended Business Experience Approximately 3-5 years of business experience Business Operations, Business Management, SOC Manager, or roles that demonstrate your business, management and leadership acumen Recommended Understanding Of: Industry security standards including NIST, ISO, SANS, COBIT, CERT, HIPAA. Current data privacy regulations, e.g., GDPR, CCPA and any regional standards. Step 5: How to Get a CISO Job with Limited or No Previous Experience It’s the age-old dilemma – how do I get a job without relevant experience? And how to I get relevant experience without a job? Take On a Virtual CISO Role at a Friend or Family Member’s Small Business Offer 3 hours of virtual CISO service a week. In exchange, ask for 3 recommendations a month and to service as a positive reference. Can you receive mentorship from an existing CISO? Do friends, family or former colleagues know any CISOs you can connect with? Start there. Reach out on LinkedIn to CISOs and invite them to coffee or dinner.Ask them if you can meet up and receive mentorship over dinner once a month (they pick the location, and you pay.) Remember: It’s a numbers game. Don’t get discouraged after a few “no's” or a lack of responses. Getting Your First CISO Job: Your Action Plan for Career Success Applying For Jobs Your resume has one and only one goal – to get you the interview.Week 1: Send out 20 resumes for CISO jobs with your existing resume How many respond and request interviews (within 2 weeks)? If you get under a 50-70% success rate, you need to revise your resume. Your goal is to repeat this process until you get a minimum of 10 positive responses for every batch of 20 resumes you send out (giving recruiters 1.5 - 2 weeks to respond.) Be ready to adapt and adjust your resume as many times as necessary (using the defined process above,) until you hit your benchmarks of success. Revising your Resume for Success If you’re not hitting a 50-70% interview rate on your resume, it’s time to revise your resume.But what do you change? The Most Common Mistakes Found on CISO Resumes (Don’t Fall into a Trap)Your resume should not only highlight your technical abilities but your business acumen.Review the strategic skills highlighted earlier and emphasize those (in addition to any other relevant educational, professional, or career achievements.) Have you briefed executives and boards? Have you given effective presentations? Have you created risk management programs and aligned the entire organization? Do you lead an online forum on Cybersecurity best practices? Think of ways to highlight your business and leadership savvy, not just your de facto technical abilities. The Interview Rounds The CISO interview process is generally between 5-7 interview rounds. Remember:The goal of your first interview is only to receive a second interview. The goal of your second interview is to receive a third interview, and so on. Be prepared for interviews with legal, finance, the CEO, CIO, HR, and more. You’ve Got This: The Road to Landing Your First CISO Role Abraham Lincoln once said, “the best way to predict the future is to create it.” And we hope this guide gives you a running start towards your new and exciting future as a CISO. We believe in you and your future success. Good luck! And feel free to forward this guide to a friend or colleague who’s hunting for a new CISO role, if you feel it’s been helpful. Life After Landing the Coveted CISO Role Congrats! You’ve Been Hired as a CISO You did it. You’ve landed your first CISO role. We couldn’t be prouder of the hard work and dedication that it took to get you to this point. Before you begin in your new role, here are a few best practices to guide you on your way to career success. Ensuring Your Success in the CISO Role: Things to Keep in Mind After speaking with 1000s of CISOs since 2016, it’s important to keep the following in mind: Your Network Security Architecture Will Determine Your Focus and Impact No matter the organization or the scope, your CISO role is dependent on meeting if not exceeding your promised KPIs. So, you’ll need to decide, do you want a reactive or a proactive security team? Do you want your team to spend their time hunting and patching security vulnerabilities and mitigating disparate security policies? Or devoted to achieving your larger, revenue-generating missions through cybersecurity? Accordingly, you’ll need to ensure that your network security architecture minimizes your enterprise’s attack surface, so you and your team can devote your attention accordingly. To achieve this, your team must have full visibility and control of all WAN, cloud, and internet traffic so they can work on fulfilling your business objectives through cybersecurity. Otherwise, your function will revert to tactical, instead of focusing on serving as a business enabler through cybersecurity. Cato SSE 360 = SSE + Total Visibility and Control Disjointed security point solutions overload resource constrained security teams, impacting security posture, and increasing overall risk due to configuration errors. Traditional SSE (Security Service Edge) convergence mitigates these challenges but offers limited visibility and control that only extends to the Internet, public cloud applications, and select internal applications. Thus, leaving WAN traffic uninspected and unoptimized. And an SSE platform that isn’t part of single-vendor SASE can’t extend convergence to SD-WAN to complete the SASE transformation journey. Cato Networks’ SSE 360 service will allow you to solve this. SSE 360 optimizes and secures all traffic, to all WAN, cloud, and internet application resources, and across all ports and protocols. For more information about Cato’s entire suite of converged, network security, please be sure to read our SSE 360 Whitepaper. Complete with configurable security policies that meet the needs of any enterprise IS team, see why Cato SSE 360 is different from traditional SSE vendors.

The OpenSSL Vulnerability: A Cato Networks Labs Update

The new high severity vulnerabilities in OpenSSL — CVE-2022-3602 (Remote Code Execution) and CVE-2022-3786 (Denial of Service) – were disclosed this week. What is OpenSSL?... Read ›
The OpenSSL Vulnerability: A Cato Networks Labs Update The new high severity vulnerabilities in OpenSSL -- CVE-2022-3602 (Remote Code Execution) and CVE-2022-3786 (Denial of Service) – were disclosed this week. What is OpenSSL? OpenSSL is a popular open-source cryptography library that enables secured communications over the Internet in part through the generation of public/private keys and use of SSL and TLS protocols. What Are the Vulnerabilities? The vulnerabilities were found in OpenSSL versions 3.0.0. to 3.0.6. They occur after certificate verification and then only after unlikely conditions are met either signing of a malicious certificate by a certificate authority (CA) or after an application continues verifying a certificate despite failing to identify a trusted issuer. [boxlink link="https://www.catonetworks.com/sase-quarterly-threat-research-reports/?utm_source=blog&utm_medium=top_cta&utm_campaign=q_reports"] SASE Quarterly Threat Research Reports | Go to Reports [/boxlink] With CVE-2022-3602, a buffer overrun can be triggered in X.509 certificate verification, enabling an attacker to craft a malicious email address to overflow four attacker-controlled bytes on the stack, which could result in a crash, causing a Denial of Service (DoS), or remote code execution (RCE). With CVE-2022-3786, a buffer overrun can also be triggered in X.509 certificate verification, but specifically in name constraint checking. Again, the attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the “.” Character (decimal 46) on the stack, resulting in a crash causing a DoS. (Read the OpenSSL Security Advisory here for detailed information about the attacks.) What’s the Impact on Cato SASE Cloud? None. While Cato does use OpenSSL neither vulnerability impacts our infrastructure. Neither our cloud assets, the Cato Socket or the Cato Client use a vulnerable version of OpenSSL. What Actions is Cato Taking? Cato Networks Research Labs is investigating the unlikely case of exploitation attempts and considering adding new IPS signatures to block them. Currently, we have not seen incidents or published reports of exploitation attempts in the wild. What Actions Should I Expect from Other Tech Vendors? The attack is severe enough that all vendors should upgrade affected appliances and software. You can see a list of affected software here. While patching and protecting users at Cato can happen instantly, such as with Log4j, that’s not the case with all solutions. Expect exploits of the OpenSSL vulnerabilities to linger as we saw with Log4j. Cato Networks Research Labs will continue to monitor the situation and update accordingly.

Inside a Network Outage: How Cato SASE Cloud Overcame Last Week’s Fiber Optic Cable Cut

Last week, once again the industry saw the importance of building your enterprise network on a global private backbone not just the public Internet. On... Read ›
Inside a Network Outage: How Cato SASE Cloud Overcame Last Week’s Fiber Optic Cable Cut Last week, once again the industry saw the importance of building your enterprise network on a global private backbone not just the public Internet. On Monday night, a major fiber optic cable was severed in the Bouches-du-Rhône region of France. The cut impacted the Internet worldwide. Instantly, packet loss surged to 100 percent on select carriers connecting to our Marseilles, Dubai, and Hong Kong PoPs.   And, yet, despite this major outage, Cato users were unaffected. No tickets were opened; no complaints filed. Why? Because the Cato SPACE architecture detected the packet loss spike on the carrier’s network and moved user traffic to one of the other tier-1 providers connecting the Cato PoP.    All of this was done automatically and in seconds. Just look at the below report from our Marseilles PoP. Notice how at 02:21 UTC Cato isolated the two affected carriers (aqua and orange lines) and traffic was picked up by the other carriers at the PoP.  Uplink Traffic Report from Cato’s Marseilles PoP Click here to enlarge the image It’s not the first time we’ve seen the resiliency of the Cato Global Private backbone. Whether it’s a network failure or a crash at a top-tier datacenter housing a Cato PoP  Cato has proven its ability to automatically recover quickly with little or no impact on the user experience.   The network engineering involved in delivering that kind of availability and performance goes to the very DNA of Cato. From the very beginning, we built our company to address both networking and security. Our founders didn’t just help build the first commercial firewall (Shlomo Kramer) they also built one of the global cloud networks (Gur Shatz). The teams they lead and have built the tools and processes to lead in both domains, which is what’s required in this world of SASE.  When building the Cato Global Private Backbone, we wanted to provide enterprises with the optimum network experience regardless of a site’s location, route taken, or network condition. As such, we built many tiers of redundancy into Cato, such as users automatically connecting to the optimum PoP, instant failover between SPACE instances within a server, servers within a PoP, and between PoPs. (Follow the link for a detailed look at the resiliency built into the Cato Global Private Backbone.) [boxlink link="https://www.catonetworks.com/resources/single-pass-cloud-engine-the-key-to-unlocking-the-true-value-of-sase/?utm_medium=blog_top_cta&utm_campaign=space_wp"] Single Pass Cloud Engine: The Key to Unlocking the True Value of SASE | EBOOK [/boxlink] Building our backbone from third-party networks, such as those offered by Amazon, Azure or Google, would certainly have been easier, but that would also compromise our control over the underlying network.  The network between two PoPs on an Azure or Amazon network in the same region or zone might be reliable enough, but what happens when those PoPs exist across the globe, in different hyperscaler regions/zones, or on separate hyperscaler networks altogether?   As both networking and security professionals, we at Cato didn’t want to leave those and other scenarios to chance. We wanted to own the problem from end-to-end and ensure enterprise customers that they would receive the optimum performance all the time from anywhere to anywhere even during failover conditions.   By building PoPs on our own infrastructure and curating PoP-to-PoP connectivity, we can control the routing, carrier selection, and PoP placement. Carriers connecting our PoPs have been carefully selected for zero packet loss and low latency to other PoPs and for optimal global and regional routes. Cato SPACE architecture monitors those carrier networks, automatically selecting the optimum path for every packet. This way no matter the scenario, users receive the optimum performance.  And by owning the infrastructure, we can deliver PoPs where enterprises require them not where hyperscalers want to place them.  With 75+ PoPs all running Cato’s cloud-native SPACE architecture, Cato has more real time deep packet processing capacity than any hyperscaler worldwide. It’s why enterprises with users in 150+ countries trust Cato every day to help them slash telecom costs, boost performance by 20x, and increase availability to five nines by replacing their legacy MPLS networks with the Cato Global Private Backbone.  For many so-called SASE players, one or the other side gets missed. Players coming from the security world need to outsource PoP placement to third-parties who understand networking. Networking vendors coming to SASE need to partner for security expertise. Both approaches compromise the SASE solution. Cato is the only vendor in the world built from the ground up to be single-vendor SASE platform. This is why we can deliver the world’s most robust single-vendor cloud-native SASE platform – today.

New Gartner Report Identifies Four Missed Tips When Evaluating SASE Platform Capabilities

Gartner has long been clear about the core capabilities that comprise a SASE solution. And as a Representative Vendor in the 2022 Gartner® Market Guide... Read ›
New Gartner Report Identifies Four Missed Tips When Evaluating SASE Platform Capabilities Gartner has long been clear about the core capabilities that comprise a SASE solution. And as a Representative Vendor in the 2022 Gartner® Market Guide for Single-Vendor SASE, Cato meets those capabilities delivering SWG, CASB, ZTNA, SD-WAN, FWaaS, and Malware inspection all at line-rate operation even when decrypting traffic.   While a single platform providing those capabilities is certainly impressive, we at Cato have never thought those features alone make for a single-vendor SASE platform. To radically simplify and improve their security and network operations, IT teams require a fully converged platform. Platforms where capabilities remain discrete and fail to share context and insight forces IT operation to continue juggling multiple consoles that leads to the difficulties IT has long faced when troubleshooting and securing legacy networks.  Gartner would seem to agree. In the 2022 Gartner Market Guide for Single-Vendor SASE (available here for download),  Gartner explains how the core capabilities of a well-architected single-vendor SASE offering should be integrated together, unified in management and policy, built on a unified and scalable architecture and designed in a way that makes them flexible and easy to use.  You Say Integrated, We Say Converged  What Gartner describes as integrated we prefer to call converged. But whether it’s converged or integrated we both agree on the same point -- all capabilities must be delivered as from one engine where event data is stored in one common repository and surfaced through a common analytics engine.  [boxlink link="https://www.catonetworks.com/news/cato-has-been-recognized-as-representative-vendor-in-2022-gartner-market-guide-for-single-vendor-sase/?utm_medium=blog_top_cta&utm_campaign=gartner_market_guide_news"] Cato Networks Has Been Recognized as a Representative Vendor in the 2022 Gartner® Market Guide for Single-Vendor SASE | Read now [/boxlink] Unified Management and Policy: Essential for Visibility and Enforcement  Arguably the biggest operational challenge for legacy networks post-deployment is with data distributed across appliances and, by extension, data repositories. How do operational teams quickly identify and address and diagnose potentially malicious or problematic activity and then enforce consistent security policies across the enterprise? And, as a cloud service, how is that done in a way that gives enterprise customers complete control over their own networks while running on a shared platform? At Cato, we’ve developed the Cato SASE Cloud so that a single management console gives enterprises control over all Cato capabilities – networking and security. A single policy stack uses common data objects enabling enterprises to set common security policies for users and resources in and out of the office. And the Cato architecture is a fully multitenant, distributed architecture giving users complete control over and visibility into their own networks.   The Cloud Provides Unified and Scalable Architecture With legacy networks, IT teams must invest considerable time and resources on maintaining their branch infrastructure. Appliances need to be upgraded as new capabilities are enabled or traffic volumes grow.  And with each new security feature enabled, there’s a performance hit that further degrades the user experience.   All of which is why Cato built the Cato SASE Cloud platform on a global network of PoPs. Every Cato PoP consists of multiple compute nodes with multiple processing cores, with each core running a copy of the Cato Single Pass Cloud Engine (SPACE), Cato’s converged networking and security software stack. Cato SPACE handles all routing, optimization, acceleration, decryption, and deep packet inspection processing and decisions. SPACE is a single-pass architecture, performing all security inspections in parallel, which allows Cato to maintain wire-speed inspection regardless of traffic volumes and enabled capabilities. Make it Flexible, Make it Easy With legacy networks, IT leaders had a tough choice: backhaul traffic to a central inspection point simplifying operations, but add latency and undermine performance, or inspect traffic on-site for better performance but far more complicated operations and deployment.    At Cato, we found a different approach: bring processing as close to the user as possible by building out a global network of PoPs. With the Cato SASE Cloud spanning so many PoPs worldwide, enterprise locations are typically within 25ms RTT of a Cato PoP. In fact, today, Cato serves 1,500 enterprises customers with sites and users in 150+ countries. With PoPs so nearby, enterprises gain the reduced latency experience of local inspection without burdening IT. All with the simplicity of a cloud service.  Single-Vendor SASE: It’s Not Just About the Features SASE didn’t introduce new capabilities per se. Firewalling, SWG, CASB, ZTNA, SD-WAN, and malware inspection -- all of SASE's core capabilities receded SASE. What SASE introduced was a new way of delivering those capabilities: a singular cloud service where the capabilities are truly one -- fully converged (or integrated) together -- managed from one console and delivered globally from one platform, everywhere. Yes, evaluating features must be part of any SASE platform assessment, but to focus on features is to miss the point. It is the SASE values of convergence, simplicity, ubiquity, and flexibility -- not features -- that ultimately differentiate SASE platforms. 

The Return On Investment of SD-WAN

What is the ROI on SD-WAN projects? Most enterprises look at SD-WAN as an MPLS alternative, hoping to reduce their MPLS connectivity costs. But the... Read ›
The Return On Investment of SD-WAN What is the ROI on SD-WAN projects? Most enterprises look at SD-WAN as an MPLS alternative, hoping to reduce their MPLS connectivity costs. But the actual SD-WAN ROI is a mix of hard and soft savings from increasing overall network capacity and availability to a reduced operational load of managing and securing the network. Let's look at the various areas of savings SD-WAN can offer and the resulting ROI. SD-WAN ROI Driver #1: Reducing MPLS Connectivity Costs   Enterprises have long invested in managed MPLS services to connect locations. The bandwidth is expensive (relative to Internet capacity) and often limited or unavailable on some routes, forcing companies to either pay exorbitant fees to connect locations or, more likely, resort to Internet-based VPNs, complicating network design.   SD-WAN promises to break that paradigm, replacing MPLS entirely or partly with affordable last-mile Internet connectivity. The magnitude of SD-WAN savings is often related to how much MPLS can be replaced and the type of Internet-based connectivity.   Here there's a balance of considerations. Symmetrical Internet connections (also known as Dedicated Internet Access or DIA) offer guaranteed capacity, providing small savings relative to MPLS. Asymmetrical connections with best-effort capacity, such as xDSL or cable, can be aggregated together to match and exceed MPLS last mile uptime at a substantial discount compared to MPLS.  [boxlink link="https://www.catonetworks.com/resources/5-things-sase-covers-that-sd-wan-doesnt/?utm_medium=blog_top_cta&utm_campaign=things_sase_covers_sd-wan_doesnt"] 5 Things SASE Covers that SD-WAN Doesn’t | EBOOK [/boxlink] Often, the ROI argument for SD-WAN is less about hard cost savings and more about optimizing network spending. Enterprises receive far more capacity and functionality for the same amount spent on MPLS. The cost per bit drops dramatically, enabling IT to equip locations with 5x to 10x more capacity. With SD-WAN able to aggregate and failover between multiple last-mile lines, uptime increases significantly   One example was Fischer & Co, an automotive company that reduced its connectivity costs by 70% by replacing MPLS with Internet last-mile and Cato SASE Cloud while relying on Cato SSE 360 for network security protection. Along with the cost savings, Fischer & Co gained the agility to respond to new business challenges instantly, adding new security services or opening new locations, all without the operational overhead of upgrading and scaling of branch security appliances. SD-WAN ROI Driver #2: Reducing the Costs of Branch Security  SD-WAN also allows organizations to avoid the branch security costs of legacy networks. With legacy architectures, enterprises backhaul branch Internet traffic to a regional datacenter for security inspection and policy enforcement. This approach consumed precious MPLS capacity, increasing costs while adding latency that undermined the user experience. With SD-WAN, companies avoid consuming expensive MPLS capacity on Internet traffic. Instead, MPLS only carries critical application traffic, offloading bandwidth hungry and less critical applications to Internet connections.   However, this now requires branch security to inspect and enforce policies on the Internet flows. SD-WAN appliances include basic firewalls, but those firewalls lack the threat protection needed by today's enterprises. Branch firewalls offer more capabilities, but their capacity constraints limit inspection capabilities for CPU-intensive operations, such as SSL decryption, anti-malware, and IPS. As traffic grows or new capabilities are enabled, companies are often forced to upgrade their appliances. Cloud-based SSE solutions are more scalable but incur the operational cost of integrating and managing another point solution.  Network and network security convergence through a single-vendor SASE platform offers a way to tackle this tradeoff. Alewijnse, a Dutch manufacturing company, eliminated its MPLS network and applied enterprise-grade security to all traffic by switching to the Cato SASE Cloud, taking advantage of Cato’s full SSE 360 protection. "With Cato, we got the functionality of SD-WAN, a global backbone, and security service for our sites and mobile users, integrated together and at a fraction of the cost," said Willem-Jan Herckenrath, ICT Manager at Alewijnse.   UMHS, a healthcare company, eliminated its MPLS network and branch security firewalls by moving to Cato's converged, cloud-native and global SASE service. "UMHS is so satisfied with the decision to switch its firewalls to Cato that it plans to migrate all locations using MPLS as soon as their contracts expire. A cost analysis done by the organization shows that this change will save thousands of dollars by having all of its 13 locations connected to the Cato Cloud," said Leslie W. Cothren, IT director at UMHS.   SD-WAN ROI Driver #3: Network Automation and Co-managed Services  One of the costliest components of enterprise networking is the network management model. Legacy network management comes in two flavors: Do It Yourself (DIY) and a managed service. With DIY, network managers often use crude tools like Command Line Interfaces (CLIs) to manage router configurations. Since any network outage costs the business, networking teams focus on availability, evolving the network very slowly. Maintaining dynamic traffic routing or failover becomes very complex. To reduce this complexity, IT outsources network management to service providers, increasing costs and longer resolution times depending on the provider.   SD-WAN promises an improvement in network agility. DIY enterprises can automate network changes and increase network resiliency. However, SD-WAN does add "one more box to manage." For enterprises that prefer a managed service, a new co-managed model enables IT to make quick network changes through a self-service model while the service provider maintains the SD-WAN service. In a co-managed model, the customer doesn't have to maintain the underlying infrastructure and can focus instead on business-specific outcomes.  A case in point is Sun Rich, a food supplier with a North American network comprised of multiple MPLS providers, SD-WAN appliances, WAN optimization solutions, and network security devices – all managed by a small IT team. Every appliance came with its management platform, complicating troubleshooting. By switching to the Cato SASE Cloud, Sun Rich reduced costs and gained control over network and security changes through Cato's single, converged management application. "Based on our size, our annual renewals on our appliances alone were nearly Cato's price," says Adam Laing, Systems Administrator at Sun Rich. "Simplification also translates into better uptime. You can troubleshoot faster with one provider than five providers," he says.  But Is SD-WAN Enough? Comparing SD-WAN to SASE SD-WAN offers significant opportunities to reduce costs and gain more "bang for the buck" compared to MPLS, but SD-WAN alone will be insufficient to address the needs of today's workforce. As such, an SD-WAN ROI evaluation must consider the myriad of additional point solutions needed to meet enterprise networking and security requirements.   The most obvious example, perhaps, is the hybrid workforce. SD-WAN only connects locations. Remote users will require additional services. Security requirements demand protection against malware, ransomware, and other network-based threats not provided by the rudimentary firewalls included in SD-WAN devices, forcing the deployment of third-party security solutions. Cloud-connectivity solutions are also required. Additionally, SD-WAN performance over the long haul is undermined by the unpredictability of the Internet core, requiring the subscription and integration of yet another solution – a global private backbone.   Separately, these individual solutions may be manageable, but together they significantly complicate troubleshooting and deployment. Deployment takes longer as each point solution must be deployed. Problems take longer to resolve as operations teams must jump between management interfaces to solve issues. In short, organizational agility is reduced at a time when agility is often the very reason for adopting SD-WAN.   How Does SASE Solve SD-WAN's Limitations: Read the eBook  SASE solves these challenges while reducing overall spending compared to MPLS alternatives, like SD-WAN. Cato SASE Cloud overcomes SD-WAN's limitations with built-in SSE 360, zero trust, cloud-native architecture with a complete range of security protections, including Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), Zero Trust Network Access (ZTNA), and Firewall as a Service (FWaaS) with Advanced Threat Prevention (IPS and Next Generation Anti-Malware). Those capabilities operate from Cato's global platform, making them available anywhere while providing location and remote users with MPLS-like performance at a fraction of global MPLS costs. And with all components managed through a single interface, troubleshooting happens far faster than when juggling multiple interfaces. In short, SASE provides the promises of SD-WAN without its limitations, delivering considerable cost savings without comprising security, simplicity, or performance. For a more in-depth comparison of SASE vs SD-WAN, download our complimentary eBook, 5 Things That SASE covers that SD-WAN Does Not.

The Gnutti Carlo Group Names Cato Networks 2021 Best Supplier in the Innovation Category

Cato has received much praise and many industry awards from analysts over the years, but it’s our customers who know us the best. So, it’s... Read ›
The Gnutti Carlo Group Names Cato Networks 2021 Best Supplier in the Innovation Category Cato has received much praise and many industry awards from analysts over the years, but it's our customers who know us the best. So, it's especially gratifying to receive an award from a customer -- the 2021 Best Supplier award in the Innovation Category from global manufacturer Gnutti Carlo Group. The award recognizes the high value of the WAN connectivity and security the Cato SASE Cloud delivers in support of the Gnutti Carlo Group's digital transformation initiative.   "Thanks to the Cato platform and together with strategic services, the Gnutti Carlo Group has benefitted from a more structured, controlled, and secure ICT landscape across the entire company," says Omar Moser, Group Chief Information Officer for the Gnutti Carlo Group. (You can read more about the award here and the Gnutti Carlo Group's story here.)   Too Much Complexity! Based in Brescia, Italy, the Gnutti Carlo Group is a leading global auto component manufacturer and partner to several OEMs active in the auto, truck, earthmoving, motorcycle, marine, generator sets, and e-mobility sectors. With annual revenues of 700 million euros and nearly 4,000 employees, the company has 16 plants in nine countries in Europe, America, and Asia.   The Group came to Cato to reign in the complexity of its network and security infrastructure built over the years from numerous mergers and acquisitions. "“Since 2000, we have started with an intensive program of internationalization, performing various acquisitions of companies of our sector and even competitors, each with different network and security architectures and policy engines,” says Moser. "It was difficult to keep policies aligned and prevent back doors and other threats."   The company had several datacenters across its locations for local services and took advantage of Microsoft Office 365, Microsoft Azure, and hosted SAP cloud services. "We had it all: public cloud, private cloud, and on-premises applications," says Moser.    Most locations were connected with IPsec VPNs, except for China, which was reached from Frankfort via a shared MPLS.   Moser realized that the only way to serve the business effectively was to centralize security and interconnection control among all locations and between plants, suppliers, and the cloud. [boxlink link="https://www.catonetworks.com/customers/the-gnutti-carlo-group-centralizes-wan-and-security-boosts-digital-transformation-with-cato/?utm_medium=top_cta&utm_campaign=gnutti_case_study"] The Gnutti Carlo Group Centralizes WAN and Security, Boosts Digital Transformation with Cato | Customer Success Story [/boxlink] Cato Does it All  He looked at several SD-WAN and SASE solutions, but Cato SASE was the only one that could deliver on all his requirements. "The other solutions couldn't give us a single package with integrated security, networking, and remote access," says Moser. He liked other things about the Cato solution, including its large number of globally dispersed points of presence, SASE architecture, single network and security dashboard, and forward-looking roadmap. Less tangible pluses were his great relationship with Cato and its excellent response time whenever he had any questions.   Moser entered into a three-month conditional purchase contract with Cato, after which he could close the contract if it didn't meet expectations. He connected ten plants, two service providers, 650 remote access VPN users, and Microsoft Azure via Cato and deployed Cato's SSE 360 security services across them. A Platform for Digital Transformation  The results were so positive that he nominated Cato for the Best Supplier award. Network performance was excellent, even in China, where Moser saw a noticeable latency improvement over MPLS. Security was much improved thanks to firewall policy centralization and optimization and the ability to monitor traffic and block risky services that were previously open. "Standardizing firewall policies and knowing I can prevent intrusions and malware has allowed me to sleep a lot better," says Moser.   Best of all, Cato has enhanced the group's business agility for its digital transformation. "It is my job to be proactive and efficient," says Moser. "If we need to open a new office we can do it easily. With Cato, we have standardization, an innovative approach, and a single partner we can grow with as we transform digitally,"   Satisfying and empowering our customers are Cato's ultimate goals, which is why awards like this one from the Gnutti Carlo Group are music to our ears.

Inside SASE: GigaOm Review of 20 Vendors Finds Platforms Are Far and Few

Since the inception of SASE, there’s been a remarkable amount of breast-beating over the number of features offered by SASE solutions.   That is a mistake.... Read ›
Inside SASE: GigaOm Review of 20 Vendors Finds Platforms Are Far and Few Since the inception of SASE, there’s been a remarkable amount of breast-beating over the number of features offered by SASE solutions.   That is a mistake. SASE innovation has always been about the convergence of security and networking capabilities into a cloud service. The core capabilities of SASE are not new. Their convergence in appliances isn’t new either; that’s what we call UTMs. It’s the delivery as a secure networking global cloud service that is so revolutionary. Only with one cloud service connecting and securing the entire enterprise – remote users sites, and cloud resources – worldwide can enterprises realize the cost savings, increased agility, operational simplicity, deeper security insight and more promised by SASE.   Too often, though, media and analyst communities miss the essential importance of a converged cloud platform. You’ll read about vendor market share without consideration if the vendor is delivering a converged solution or if it’s just their old appliances marketed under the SASE brand. You’ll see extensive features tables but very little about whether those capabilities exist in one software stack, managed through one interface – the hallmarks of a platform.   GigaOm’s Radar Report Accurately Captures State of SASE Platform Convergence  Which is why I found GigaOm’s recent Radar Report on the Secure Service Access (SSA) market so significant. It is one of the few reports to accurately measure the “platform-ness” of SASE/SSA/SSE solutions. SSA is GigaOm’s terms for the security models being promoted as SSE, SASE, ZTNA, and XDR along with networking capabilities, such as optimized routing and SD-WAN. The report assesses more than 20 vendor solutions, providing detailed writeups and recommendations for each. (Click here to download and read the report.)   [boxlink link="https://www.catonetworks.com/resources/gigaoms-evaluation-guide-for-technology-decision-makers/?utm_source=blog&utm_medium=top_cta&utm_campaign=gigaom_report"] GigaOm’s Evaluation Guide for Technology Decision Makers | Report [/boxlink] Those hundreds of data points are then collapsed into the GigaOm Radar that provides a forward-looking perspective of the vendor offerings. GigaOm plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. Vendors are characterized based on their degree of convergence into a platform (feature vs. platform play) and their robustness (maturity vs. innovation). The length of the arrow indicates the predicted evolution over the coming 12-18 month:  The GigaOm Radar for SSA found Cato and Zscaler to be the only Leaders who were outperforming the market.  The Findings: Platform Convergence is Not a Given in the SASE Market The report found Cato SASE Cloud to be one of the few SSA platforms capable of addressing the networking and security needs for large enterprises, MSPs, and SMEs.    The Cato SASE Cloud provides outstanding enterprise-grade network performance and predictability worldwide by connecting sites, remote users, and cloud resources across the optimized Cato Global Private Backbone. Once connected, the Cato SSE 360 pillar of Cato SASE Cloud enforces granular corporate access policies on all applications -- on-premises and in the cloud – and across all ports and protocols, protecting users against threats, and preventing sensitive data loss.    Of GigaOm’s key SSA Criteria, the Cato SASE Cloud was the only Leader to be ranked “Exceptional” in seven of eight categories:   Defense in Depth  Identity-Based Access  Dynamic Segmentation  Unified Threat Management  ML-Powered Security Autonomous Network Security  Integrated Solution  And the company found a similarly near-perfect score when it came to the core networking and network-based security capabilities comprising SSA solutions: SD-WAN, FWaaS, SWG, CASB, ZTNA, and NDR.   “Founded in 2015, Cato Networks was one of the first vendors to launch a global cloud-native service converging SD-WAN and security as a service,” says the report. “Developed in-house from the ground up, Cato SASE Cloud connects all enterprise network resources—including branch locations, cloud and physical data centers, and the hybrid workforce—within a secure, cloud-native service. Delivering low latency and predictable performance via a global private backbone”   To learn more, download the report.

15 Networking Experts To Follow on LinkedIn

Technology is fast-paced and constantly changing, but it seems like the past few years have broken every record. Covid-19 and the transition to remote work,... Read ›
15 Networking Experts To Follow on LinkedIn Technology is fast-paced and constantly changing, but it seems like the past few years have broken every record. Covid-19 and the transition to remote work, high-profile cyber security attacks and massive geo-political shifts have enhanced and intensified the need for new networking solutions, and vendors are quick to respond with new networking point solutions which address the problems de jour. But how can IT teams and network architects make heads or tails of these rapid shifts? Such intense global and industry-wide changes require the advice of experts who are familiar with both the technical and business landscape, and can speak to the newest technology trends. Below, we’ve listed 15 of the top experts in enterprise networking and SD-WAN that we recommend following on Linkedin. They are masters in their domain, and industry leaders who can help you stay up-to-date with the latest developments in the world of enterprise networking. They have many years of hands-on and consulting experience, so when they speak about enterprise networks, it’s always worth hearing what they have to say. 1. Greg Ferro https://www.linkedin.com/in/etherealmind/ @etherealmind Greg is a co-founder of Packet Pushers, an online media outlet that has covered data, networking and infrastructure for over 12 years. Packet Pushers provides valuable information that can help nearly any professional in the networking field including insights on: public cloud usage, SD-WAN, five minute vendor news, IPv6, and more. Home to a series of podcasts, blog posts, articles, a Spotify channel, and even a newsletter - it’s a multi-media experience. Besides Packet Pushers, Greg runs another well-known industry blog, EtherealMind.com. 2. Ivan Pepelnjak https://www.linkedin.com/in/ivanpepelnjak/ @ioshints Ivan is a blogger at ipSpace.net, an author, a webinar presenter and a network architect. His writings and webinars focus mainly on network automation, software-defined networking, large-scale data center tech, network virtualization technologies and advanced IP-based networks. By following him and/or ipSpace.net, you will have access to a plethora of network technology resources, including online courses, webinars, podcasts and blogs. 3. Orhan Ergun https://www.linkedin.com/in/orhanergun/ @OrhanErgunCCDE Orhan is an IT trainer, an author and a network architect. On Linkedin, Orhan shares his ideas and thoughts, as well as updates about his recent webinars, blog posts and training courses, to his ~40,000 followers. He also spices up his updates by sprinkling in funny memes with inside IT humor. Orhan’s courses can be found on his website at orhanergun.net, where he focuses on network design, routing, the cloud, security and large-scale networks. 4. Jeff Tantsura ​​https://www.linkedin.com/in/jeff-tantsura/ Jeff is a Sr. Principal Network Architect at Azure Networking, as well as a writer, editor, podcaster, patent inventor and advisor to startups in networking and security areas. His podcast, “Between 0x2 Nerds”, is bi-monthly and discusses networking topics including: network complexity, scalability, up-and-coming technologies and more. The podcast hosts industry experts, software engineers, academia researchers and decision-makers - so when listening to it, you can expect to hear from professionals with a wide variety of opinions, points of view and areas of expertise! 5. Daniel Dib https://www.linkedin.com/in/danieldib/ @danieldibswe Daniel Dib is a Senior Network Architect experienced in routing, switching and security. He is also a prolific content creator, writing blog posts for his own networking-focused blog “Lost in Transit”, as well as additional publications, like “Network Computing”. It’s a  great choice if you’re interested in learning more about CCNA, CCNP, CCDP, CCIE, CCDE and all of our various certification courses. His social media posts cover both professional and personal matters, for those of you who like to get to know the person behind the professional.  [boxlink link="https://www.catonetworks.com/resources/4-considerations-to-take-before-renewing-your-sd-wan-product-or-contract/?utm_source=blog&utm_medium=top_cta&utm_campaign="4_considerations_before_sd-wan"] 4 Considerations to Take Before Renewing Your SD-WAN Product or Contract | EBOOK [/boxlink] 6. David Bombal https://www.linkedin.com/in/davidbombal/ @davidbombal David Bombal is an author, instructor and YouTuber, creating content for networking professionals across multiple channels. Focusing on topics like network automation, Python programming, ethical hacking and Cisco exams, his videos, podcasts and courses provide a wide range of resources for beginners and advanced learners. David’s online Discord community is also worth visiting, as an online venue for ongoing IT support and communication. 7. John Chambers https://www.linkedin.com/in/johnchambersjc/ @JohnTChambers John is the CEO of JC2 Ventures and was previously at Cisco for 26 years, serving as CEO, Chairman and President, among other positions. With more than 263,000 followers on Linkedin and more than 22,000 on Twitter, John is an important source of information for networking professionals interested in a broader, more strategic view of the technological market. 8. Tom Hollingsworth https://www.linkedin.com/in/networkingnerd/ @networkingnerd Tom is a networking analyst at Foskett Services and the creator of networkingnerd.net, an online media outlet where he offers a tongue-in-cheek take on networking news and trends. In his latest post he compares Apple Air Tags and lost luggage at airports to SD-WAN. If blog posts aren’t your thing, you can also hear what Tom has to say on his “Tomversations” YouTube playlist or by attending the “Tech Field Day” events he organizes. 9. Matt Conran https://www.linkedin.com/in/matthewconranjnr/ Matt is a cloud and network architecture specialist with more than 20 years of networking experience in support, engineering, network design, security and architecture. Matt juggles consultancy as an independent contractor with publishing technical content on his website “Network Insight” and with creating training courses on Pluralsight. On his website, you can find helpful explainer videos and posts on a variety of networking topics including cloud security, observability, SD-WAN and more. 10. Russ White https://www.linkedin.com/in/riw777/ @rtggeek Russ White is an infrastructure architect, co-host of “The Hedge”, a computer network podcast, and blogger. He has also published a number of books on network architecture. His Linkedin posts are a bulletin board of his latest blog and podcast updates, so by following him you can stay on track of his latest publications, ranking from hands-on network advice to info on how technology will be shaped by global events. 11. Ben Hendrick www.linkedin.com/in/bhendrick/ Ben is the Chief Architect in the Office of the CTO of the Global Secure Infrastructure Domain at Microsoft. His Linkedin posts focus mainly on recent cybersecurity updates, covering specific events as well as industry trends. With nearly 35 years of network and security experience, you can be sure his daily updates are based on broad insights and a deep familiarity with the networking and security space. 12. Ashish Nadkarni https://www.linkedin.com/in/ashishnadkarni/ @ashish_nadkarni Ashish leads two research groups at analyst firm IDC. Both of them - Infrastructure Systems, Platforms and Technologies (ISPTG) and BuyerView Research - are part of IDC's Worldwide Enterprise Infrastructure practice. Ashish delivers reports, blog posts and webinars, and his Linkedin feed to keep up with the latest trends and technologies in networking. Examples of his previous posts include preparing for IT infrastructure supply shortages, storage for AI workloads, and takeaways from networking industry events. 13. Erik Fritzler https://www.linkedin.com/in/erikfritzler/ @FritzlerErik Erik has nearly 25 years of experience in network architecture and regularly posts blogs on “Network World”. He specializes in SD-WAN, Network Design, and Engineering and IT Security. In his recent blog post “Why WAN metrics are not enough in SD-WAN policy enforcement”, he discusses how SD-WAN captures metrics that go far beyond the typical WAN measurements including application response time, network transfer time, and server response time. 14. Matt Simmons https://www.linkedin.com/in/mattsimmonssysadmin/ @standaloneSA Matt is an SRE at SpaceX, where he is responsible for the infrastructure around the ground control plane. His team owns the OS installation on bare metal, up through the Kubernetes orchestration layer, as well as monitoring, CI/CD and more. If you’re interested in learning about technological “How To’s” and the science of space, Matt’s Linkedin is the place for you. Matt also has a Github repository where he hosts projects and experiments that may be helpful to networking professionals. 15. Cato Networks https://www.linkedin.com/company/cato-networks/ https://twitter.com/CatoNetworks Did you know that Cato Networks is also on social? Our social channels are a great way to keep on top of SASE and Security Service Edge (SSE) updates, read original research and even get access to “member only” exclusive events. We run surveys, host giveaways and include updates from industry experts, like our CEO and COO, Shlomo Kramer (co-founder of Check Point,) and Gur Shatz (co-founder of Imperva). Who Do You Follow? As business needs and technologies evolve, it can be difficult to constantly keep up with the changes. Experts like the 15 listed above can help, by passing on their know-how, insights and experience through their Linkedin, blogs, Youtube channels, or whatever way you prefer to consume content. So, who do you follow? Share with us on Linkedin.

Is SD-WAN Really Dead?

Happy To Announce the Birth of a New Technology – SD-WAN It wasn’t that long ago that we oohed and ahhed over the brand-new technology... Read ›
Is SD-WAN Really Dead? Happy To Announce the Birth of a New Technology - SD-WAN It wasn’t that long ago that we oohed and ahhed over the brand-new technology called SD-WAN. The new darling of the networking industry would free us from the shackles of legacy MPLS services. But just as we’re getting used to the toddling SD-WAN, along came yet another even more exciting newborn, the Secure Access Service Edge (SASE). It would give us even more – more security, better remote access, and faster deployment. SD-WAN? That’s so yesteryear – or is it? Is SD-WAN another networking technology to be cast off and forgotten in this SASE world, or does SD-WAN continue to play an important role? Let’s find out. SD-WAN: The Toddler Years When SD-WAN was born, there was much to love. It was cute, shiny, and taught enterprises how to walk -- walk away, that is, from MPLS – to a network designed for the new world.  MPLS came of age when users worked in offices, resources resided in the datacenter, and the Internet was an afterthought. It was hopelessly out of step with a world that needed to move fast and one obsessed with the Internet. SD-WAN addressed those problems, creating an intelligent overlay that allowed companies to tap commodity Internet connections to overcome the limitations of MPLS. More specifically this meant: More capacity to improve application performance Reduced network costs by using affordable Internet access, not high-priced MPLS capacity. More bandwidth flexibility by aggregating Internet last mile connections Improved last-mile availability by connecting sites through active/active connections Faster deployments allowing sites to be connected in days not months [boxlink link="https://www.catonetworks.com/resources/5-things-sase-covers-that-sd-wan-doesnt/?utm_source=blog&utm_medium=top_cta&utm_campaign=5_sd-wan_gaps_answered_by_sase"] 5 Things SASE Covers that SD-WAN Doesn’t | EBOOK [/boxlink] SD-WAN: The Teenager That Disappoints But then the world changed – again. Resources moved into the cloud and the pandemic sent everyone home. Suddenly the office was no longer the focus of work. Solving the site-to-site communications challenge was no longer sufficient. Now companies needed a way to bring advanced security to wherever resources resided, in the cloud or the private data center, and wherever users worked, in the office, at home, or on the road, and do all of that without compromising performance. None of that was in SD-WAN's job description, making the following use cases particularly challenging: Remote Workforce SD-WAN lacks support for remote access -- period. There was no mobile client to join an SD-WAN. But today secure remote access is an essential pillar for guaranteeing business continuity. Cloud Readiness SD-WAN is limited in its cloud readiness. As an appliance-based architecture, SD-WAN requires the management and integration of proprietary appliances to connect with the cloud. Expensive premium cloud connectivity solutions, like AWS Direct Connect or Azure ExpressRoute for optimized cloud connectivity. Global Performance SD-WAN might perform well enough within a region, but the global Internet is too unpredictable for the enterprise. It’s why all SD-WAN players encourage the use of third-party backbones for global connectivity. Such an approach, though, increases the complexity and costs of a deployment, and fails to deliver the benefits of optimized performance. Advanced Security SD-WAN lacks the necessary security to protect branch offices. Next-generation firewall (NGFW), Intrusion Prevention Systems (IPS), Secure Web Gateway (SWG), anti-malware – all necessary components for protecting the enterprise and none of which are provided by SD-WAN. Factoring in the necessary appliances and services for delivering these capabilities significantly increases the cost and complexity of SD-WAN deployments. SD-WAN: The Senior Years So, SD-WAN isn’t perfect, but you might be wondering, why not let it coexist with the rest of the security and networking infrastructure? Just deploy a SWG or a Security Service Edge (SSE) solution. Doing so, though, leads to a network that’s at best managed with separate brains – one for your SD-WAN and another for your security infrastructure – and more likely additional “brains” for handling the rest of your security infrastructure and the global backbone. And with multiple brains, everything becomes more complicated: Forget zero-touch:SD-WAN made noise about claiming to offer zero-touch configuration, but the reality is far different. Without the necessary security capabilities, SD-WANs become far more complicated to deploy, requiring the additional security appliances to be assessed, purchased, delivered to the locations, installed, and integrated. High Availability (HA) becomes a headache:With SD-WAN relying on Internet connections, HA is all but required. But with multiple brains, HA becomes far more challenging. There’s no automated provisioning of resilient connections between devices or services. There’s also no associated dynamic failover, requiring companies to install backup appliances and additional operational time testing failover scenarios. Visibility is limited:Fragmenting data across multiple networking and security systems means you never have a complete view of your network. You can’t spot the network indicators of new threats. Outages become more difficult to troubleshoot with data hiding within multiple appliance logs. Relying on SSE offerings or security services in the cloud won’t fully address the problem. Deployment is still a problem as there’s no automated traffic routing and tunnel creation between SD-WAN devices and cloud security PoPs. Security infrastructure is also unable to consume and share security policies (such as segmentation) between SD-WAN and cloud security vendors. Operationally, SD-WAN devices and cloud services remain distinct, making troubleshooting more challenging and depriving security teams of networking information that could be valuable in hunting for threats. And in the end, reducing to two brains better than four, still leaves you with well, two brains on one network. SD-WAN: It’s Not Dead Just Part of a Bigger Family So, is SD-WAN dead? Hardly. It remains what it always was – an important tool for building the enterprise network. But like the crazy uncle who might great for laughs but not be terribly reliable, SD-WAN has limitations that need to be addressed. What’s needed is an approach that uses SD-WAN to connect locations but addresses its security and deployment limitations. SASE secures and connects the complete enterprise – headquarters, branches in distant locations, users at home or on the road, and resources in the cloud, private datacenters, or on the Internet. With one network securing and connecting the complete enterprise, deployments become easier, visibility improves, and security becomes more consistent. To make that happen, SASE calls for moving the bulk of security and networking processing into a global network of PoPs. SD-WAN devices connect locations to the nearest PoPs; VPNs clients or clientless access connect remote and mobile users. Native cloud connectivity within the PoPs connects IaaS and SaaS resources. Cato is the World’s First and Most Robust Global SASE Platform Cato is the world’s first SASE platform, converging SD-WAN and network security into a global, cloud-native service. Cato optimizes and secures application access for all users and locations, including branch offices, mobile users, and cloud datacenters, and allows enterprises to manage all of them with a single management console with comprehensive network visibility. Cato’s SASE platform has all the advantages of cloud-native architectures, including infinite scalability, elasticity, global reach and low total cost of ownership. Connecting locations to the Cato SASE Cloud is as simple as plugging in a preconfigured Cato Socket appliance, which connect to the nearest of Cato’s 70+ globally dispersed points of presence (PoPs). Mobile users connect to the same PoPs from any device by running the Cato Client. With Cato, new locations or users can be up and running in hours or even minutes, not days or weeks. Security capabilities include Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), and Firewall as a Service (FWaaS). With Cato, customers can easily migrate from MPLS to SD-WAN, optimize global connectivity to on-premises and cloud applications, enable secure branch office Internet access everywhere, and seamlessly integrate cloud datacenters and mobile users into a high-speed network with a zero-trust architecture. So whether it's mergers and acquisitions, global expansion, rapid deployments, or cloud migration, with Cato, the network and your business are ready for whatever is next in your digital transformation journey. Learn more about the differences between traditional WAN and SD-WAN.

Not All Backbones are Created Equal

It’s no secret that many enterprises are reevaluating their WAN. In some cases, it might be an MPLS network, which is no longer suitable (or... Read ›
Not All Backbones are Created Equal It’s no secret that many enterprises are reevaluating their WAN. In some cases, it might be an MPLS network, which is no longer suitable (or affordable) for the modern digital business. In other cases, it might be a global SD-WAN deployment, which relied too much on the unpredictable Internet.   Regardless of why the company needs to transform its enterprise network, the challenge remains the same: How do you get secure connections with the same service level of predictability and consistency as MPLS at an Internet-like price point? This calls for a SASE service built on a global private backbone.   Why a Global SASE Service?   Even enterprises who previously thought of themselves as regional operations find they need global reach today. Why? Because users and data are everywhere. They can (and probably do) sit in homes (or cafés) far from any place an office might be situated, accessing cloud apps across the globe. Pulling traffic back to some site for security inspection and enforcement adds latency, killing the application experience. Far better is to put security inspection wherever users and data sit. This way they receive the best possible experience no matter where that executive might be sitting in the world.   Why Private?  Once inspected, moving traffic to a private datacenter or other sites across the global Internet is asking for trouble. The Internet might be fine as an access layer, but it’s just too unpredictable as a backbone. One moment a path might be direct and simple; the next your traffic could be sent for a 40-stop visit the wrong way around the globe. With a private backbone, optimized routing and engineering for zero packet loss makes latency far lower and more predictable than across the global Internet.  Why Not Private Networks from Hyperscalers?   All major public cloud providers – AWS, Azure, and GCP -- realize the benefits of global private networks and offer backbone services today. So why not rely on them?  Because while a hyperscaler backbone might be able to connect SD-WAN devices, it lacks the coverage to bring security inspection close to the users across the globe. Only a fraction of the many hyperscaler PoPs can run the necessary security inspections and only a smaller fraction can act as SD-WAN on-ramps. At last check, for example, only 39 of Azure's 65 PoPs supported Azure Virtual WAN. And then there's the question of availability. The uptime SLAs offered by cloud providers are too limited, only running 99.95% uptime, while traditional telco service availability typically runs at four nines, 99.99% uptime. [boxlink link="https://www.catonetworks.com/resources/global-backbone-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=global_backbone_demo"] Global Backbone | Watch Cato Demo [/boxlink] Why Cato’s Global Private Backbone? For those reasons and more, enterprises are replacing their legacy network with Cato’s global private backbone. Today, it’s the largest private SASE network spanning 70+ PoPs worldwide.   Built as a cloud-native network with a global private backbone, Cato SASE Cloud has revolutionized global connectivity. Using software, commodity hardware, and excess capacity within global carrier backbones, we provide affordable SLA-backed connectivity at global scale.   And every one of our PoPs runs the Cato Single Pass Cloud Engine (SPACE), the converged software stack that optimizes and secures all traffic according to customer policy.  Our simple edge devices combine last mile transports, such as fiber, cable, xDSL, and 4G/5G/LTE. Encrypted tunnels across these last-mile transport carry traffic to nearest PoP. The same goes for our mobile clients (and clientless access). From the PoP, traffic is routed globally to the PoP closest to the destination using tier-1 and SLA-backed global carriers.   This model extends to cloud services as well. Traffic to cloud applications or cloud data centers exit at the PoP closest to these services, and in many cases within the same data center hosting both PoP and cloud service instance.   Key Benefit #1 – Optimized Performance  With built-in WAN optimization, Cato increases data throughput by as much as 40x. Advanced TCP congestion control enables Cato edges to send and receive more data, as well as better utilize available bandwidth. Other specific optimization improvements include:   Real-time network condition tracking to optimize packet routing between PoPs. We don’t rely on inaccurate metrics like BGP hops, but rather on network latency, packet loss, and jitter in the specific route.   Controlling the routing and achieving MPLS-like consistency and predictability anywhere in the world. For example, the path from Singapore to New York may work better through Frankfurt than going direct, and Cato SASE Cloud adapts to the best route in real time.   Applying dynamic path selection both at the edge and at the core – creating end-to-end optimization.   Accelerating bandwidth intensive operations like file upload and download through TCP window manipulation.  Key Benefit #2 – Self-Healing and Resiliency To ensure maximum availability, Cato SASE Cloud delivers a fully self-healing architecture. Each PoP has multiple compute nodes each with multiple processing cores. Each core runs a copy of Cato SPACE, which manages all aspects of failure detection. Failover and fail back are automated, eliminating the need for dedicated planning or pre-orchestration. More specifically, resiliency capabilities include:    Automatically working around backbone providers in case of outage or degradation to ensure service availability.  Ensuring that if a compute node fails, tunnels seamlessly move to another compute node in the same PoP or to another nearby PoP. And in the unlikely event that a tier-1 provider fails or degrades, PoPs automatically switch to one of the alternate tier-1 providers.  Specialized support for challenging locations like China. Cato PoPs are connected by private and encrypted links through a government-approved provider to Cato's Hong Kong PoP.  A great example of Cato resiliency at work was the recent Interxion datacenter outage in London housing Cato’s London PoP. The outage disrupted trading on the London Metal Exchange for nearly five hours. And for Cato? A few seconds. Read this first-hand account from Cato’s vice president of operations, Aviram Katzenstein.  Key Benefit #3 – Secure and Protected Cato’s global private backbone has all security services deployed in each of the Cato PoPs. This means that wherever you connect from, your traffic is protected by a full security stack at the PoP nearest to you. From there, Cato’s backbone carries your traffic directly to its destination, wherever it may be. This enables full security for all endpoints without any backhauling or additional stops along the way.   Extensive measures are taken to ensure the security of Cato SASE Cloud. All communications – between PoPs, with Cato Sockets, or Cato Clients – are secured by AES-256 encrypted tunnels. To minimize the attack surface, only authorized sites and remote users can connect and send traffic to the backbone. The external IP addresses of the PoPs are protected with specific anti-DDoS measures. Our service is ISO 27001 certified.  Key Benefit #4 – Internet-like Costs  We reduce the cost of enterprise-grade global connectivity by leveraging the massive build-out in IP capacity. All Cato PoPs are connected by SLA-backed transit capacity across multiple tier-1 networks. The Cato software monitors the underlying, capacity selecting the optimum path for every packet. The result: a network with far better performance than the public Internet at a far lower cost than global MPLS.  A Proven Solution for Global Connectivity  Cato’s backbone delivers better performance, availability, and coverage than any single carrier. A single tier-1 carrier can’t reach all parts of the globe, and a single tier-1 carrier can’t provide the predictability of MPLS. Just as enterprises use SD-WAN to aggregate Internet services and overcome the limitations of any one service, SASE leverages SD-WAN to aggregate tier-1 carriers to overcome the limitations of any one network.   “Opening new stores now goes smoothly, pricing is affordable, the cloud firewall and private backbone provide a great experience, and services are easy to set up.”   Steve Waibel, Director of IT, Brake Masters “We no longer had to have a separate IDS/IPS, on-premises firewalls, or five different tools to report on each of those services. We could bring our cloud-based services directly into Cato’s backbone with our existing sites and treat them all the same.”  Joel Jacobson, Global WAN Manager, Vitesco Technologies  “The fast backbone connection most of the way to its ACD cloud service was a big plus. QOS was always a struggle before Cato. It’s pretty awesome to hit that Cato network and see that traffic prioritized all the way through to the cloud, rather than just close to our site.”  Bill Wiser, Vice President of IT, Focus Services  Thanks to the low cost of the Cato solution, Boyd CAT more than doubled branch bandwidth, by moving from 10 to 25 Mbits/s - to dramatically improve application performance together with Cato's optimization and global private backbone. “The branches were just loving it. They started fighting over who would transition to Cato next. We were able to discontinue all our MPLS connections.” Matt Bays, Communications Analyst, Boyd CAT  With Cato SASE, office and remote and home workers connect to the same high-speed backbone. Mobile and home users benefit from the same network optimizations and security inspections as office workers. “This year, the entire WAN and Internet connectivity will be running on Cato.”   Eiichi Kobasako, Chief of Integrated Systems, Lion Corporation 

Cato’s Ransomware Lab Births Network-based Ransomware Prevention

As you might have heard, Cato introduced network-based ransomware protection today. Using machine learning algorithms and the deep network insight of the Cato SASE Cloud,... Read ›
Cato’s Ransomware Lab Births Network-based Ransomware Prevention As you might have heard, Cato introduced network-based ransomware protection today. Using machine learning algorithms and the deep network insight of the Cato SASE Cloud, we’re able to detect and prevent the spread of ransomware across networks without having to deploy endpoint agents. Infected machines are identified and immediately isolated for remediation. Of course, this isn’t our first foray into malware protection. Cato has a rich multilayered malware mitigation strategy of disrupting attacks across the MITRE ATT&CK framework. Cato’s antimalware engine prevents the distribution of malware in general. Cato IPS detects anomalous behaviors used throughout the cyber kill chain. Cato also uses IPS and AM to detect and prevent MITRE techniques used by common ransomware groups, which spot the attack before the impact phase. And, as part of this strategy, Cato security researchers follow the techniques used by ransomware groups, updating Cato’s defenses, and protecting enterprises against exploitation of known vulnerabilities in record time. [boxlink link="https://www.catonetworks.com/cybersecurity-masterclass/?utm_source=blog&utm_medium=top_cta&utm_campaign=masterclass"] Join one of our Cyber Security Masterclasses | Go now [/boxlink] What’s being introduced today are heuristic algorithms specifically designed to detect and interrupt ransomware. The machine-learning heuristic algorithms inspect live SMB traffic flows for a combination of network attributes including: File properties such as specific file names, file extensions, creation dates, and modification dates,Shared volumes access data such as metrics on users accessing remote folders,Network behavior such as creating certain files and moving across the network in particular ways, andTime intervals such as encrypting whole directories in seconds. Once found, Cato automatically blocks SMB traffic from the source device, preventing lateral movement or file encryption, and notifies the customer. The work comes out of our ransomware lab project that we started several months ago. The lab uses a standalone network within Cato where we reproduce ransomware infections in real-life organizations. “We execute them in the lab to understand how they do their encryptions, what file properties they change, and other parts of their operations and then we figure out how to optimize our heuristics to detect and prevent them,” says Tal Darsan, manager of managed security services at Cato. So far, the team has dug into more than dozen ransomware families, including Black Basta, Conti, and Avos Locker. To get a better sense of what our ransomware protections bring, check out the video below:  

Azure SD-WAN: Cloud Datacenter Integration with Cato Networks

As critical applications migrate into Microsoft Azure, enterprises are challenged with building a WAN that can deliver the necessary cloud performance without dramatically increasing costs... Read ›
Azure SD-WAN: Cloud Datacenter Integration with Cato Networks As critical applications migrate into Microsoft Azure, enterprises are challenged with building a WAN that can deliver the necessary cloud performance without dramatically increasing costs and complexity. There’s been no good approach to building an Azure SD-WAN — until now. Cato’s approach to Azure SD-WAN improves performance AND simplifies security, affordably. Let’s see how. Azure SD-WAN’s MPLS and SD-WAN Problem When organizations start relying on Azure, two problems become increasingly apparent. First, how do you secure your Azure instance? Running virtual firewalls in Azure adds complexity and considerable expense, necessitating purchase of additional cloud compute resources and third-party licenses. What’s more, virtual firewalls are limited in capacity, requiring upgrades as traffic grows. Cloud performance may suddenly decline because the firewall is choking the network. Adding other cloud instances requires additional tools, complicating operations. You can continue to rely on your centralized security gateway, backhauling traffic from branch office inspection by the gateway before sending the traffic across the Internet to Azure. You can even improve the connection between the gateway and Azure with a premium connectivity service, such as Azure ExpressRoute. But, and here’s the second issue, how do you deal with the connectivity problem? Branch offices that might otherwise be a short hop away from an Azure entrance point must now send traffic back to the centralized gateway for inspection before reaching Azure. The approach does nothing for mobile users who sit off the MPLS network regardless. And what happens as your cloud strategy evolves and you add other cloud datacenter services, such as Amazon AWS or Google Cloud? Now you need a whole new set of security and connectivity solutions adding even more cost and complexity. Nor does edge SD-WAN help. There’s no security built into edge SD-WAN, so you haven’t addressed that problem. There’s also no private global network so you’re still reliant on MPLS for predicable connectivity. Edge SD-WAN solutions also require the cost and complexity of deploying additional edge SD-WAN appliances to connect to the Azure cloud. And, again, none of this helps with mobile users, which are also out of scope for edge SD-WAN. [boxlink link="https://www.catonetworks.com/resources/migrating-your-datacenter-firewall-to-the-cloud/?utm_source=blog&utm_medium=top_cta&utm_campaign=cloud_datacenter"] Migrating your Datacenter Firewall to the Cloud | Download eBook [/boxlink] How Azure SD-WAN Works to Connect Cato and Azure Cato addresses all of the connectivity and security challenges of Azure SD-WAN. Cato’s global private backbone spans more than 75+ points of presence (PoPs) across the globe, providing affordable premium connectivity worldwide. Many of those Cato PoPs collocate within the same physical datacenters as entrance points to Azure. Connecting from Azure to Cato is only matter of crossing a fast, LAN connection, giving Cato customers ExpressRoute-like performance at no additional charge. To take advantage of Cato’s unique approach, Cato customers do two things. First, to connect Cato and Azure, enterprises take advantage of our agentless configuration, establishing IPsec tunnels between the two services, establishing the PoP as the egress point for Azure traffic. There’s no need to deploy additional agents or virtual appliances. Cato’s will then optimize and route Azure traffic from any Cato PoP along the shortest and fastest path across Cato Cloud to destination PoP. Second, sites and mobile users send their Azure traffic to Cato by establishing encrypted tunnels across any Internet connection to the nearest Cato PoP. Sites will run a Cato Socket, Cato’s SD-WAN appliance or establish IPsec tunnels from an existing third-party security device, and mobile users run the Cato mobile client on their devices. Alternatively, if you’d like to leverage all of Cato’s SD-WAN capabilities in Azure, you can easily deploy Cato’s virtual socket instead of IPsec tunnels, which includes automatic PoP selection, high availability, and automatic failover. The beauty of Cato’s virtual socket is that you can easily deploy it in minutes instead of hours. To get started with Cato virtual socket, search for Cato Networks in the Azure marketplace. Then, click Get It Now, and follow the outlined configuration guidelines. How Azure SD-WAN Secures Azure Resources In addition to connectivity, Cato’s Azure SD-WAN solution secures cloud resources against network-based threats. Every Cato PoP provides Cato’s complete suite of security services, eliminating the need for backhauling. Cato Security as a Service is a fully managed suite of enterprise-grade and agile network security capabilities, that currently includes application-aware next-generation firewall-as-a-Service (FWaaS), secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAM), IPS-as-a-Service (IPS), and Cloud Access Security Broker (CASB). Cato can further secure your network with a comprehensive Managed Threat Detection and Response (MDR) service to detect compromised endpoints. Azure instances and all resources connected to Cato, including site, mobile users and other cloud resources, are protected through a common set of security policies, avoiding the complexity that comes with purchasing security tools unique to Azure or other cloud environments. Azure SD-WAN Benefits The bottom line is that Azure SD-WAN delivers connectivity and security with minimal complexity and cost: Superior Microsoft Azure performance The combination of global Cato PoPs, a global private backbone and Microsoft Azure colocation accelerates Microsoft Azure application performance by up to 20X vs. a typical corporate Internet-based connection. Not only is latency minimized but Cato’s built-in network optimizations further improve data transfer throughput. And all of that is done for branch offices as well as mobile users. The result is a superior user experience without the need for premium cloud provider transport services. Security and deployment simplicity With Cato, organizations don’t have to size, procure and manage scores of branch security solutions normally needed for the direct Internet access critical to delivering low latency cloud connectivity. Security is built into Cato Cloud; cloud resources are protected by the same security policy set as any other resource or user on the enterprise backbone. Cato’s agentless configuration also means customers don’t have to install additional SD-WAN appliances in the Azure cloud. These benefits are particularly significant for multi-cloud enabled organizations which normally would require separate connectivity solutions for each private datacenter service. (However, if you’d like to leverage additional capabilities in Azure, you can deploy the integration in minutes with Cato’s virtual Socket.) Networking and security agility Cato’s SD-WAN’s simplicity, Azure integration, and built-in security stack enable branch offices and mobile users to get connected to Microsoft Azure in minutes or hours vs. weeks or months for branch office appliance-based SD-WAN. Affordable and fast ROI Enterprises get superior cloud performance without paying for the high-cost cost of branch office SD-WAN hardware, carrier SD-WAN services, or Microsoft Azure ExpressRoute transport. Nor do companies need to invest in additional security services to protect cloud resources with Cato. For more information on how Cato integrates with the cloud, contact Cato Networks or check out this eBook on Migrating your Datacenter Firewall to the Cloud.

The Only SASE RFP Template You’ll Ever Need

Why do you need a SASE RFP? Shopping for a SASE solution isn’t as easy as it sounds… SASE is an enterprise networking and security... Read ›
The Only SASE RFP Template You’ll Ever Need Why do you need a SASE RFP? Shopping for a SASE solution isn’t as easy as it sounds... SASE is an enterprise networking and security framework that is relatively new to the enterprise IT market (introduced by Gartner in 2019.) And less than 3 years young, SASE is often prone to misunderstanding and vendor “marketecture.” Meaning: If you don’t ask the right questions during your sales and vendor evaluation process, you may be locked into a solution that doesn’t align with your current and future business and technology needs. A Quick Note about Cato’s RFP Template Do a quick Google search and you’ll find millions of general RFP templates. That being said, Cato’s RFP template only covers the functional requirements of a future SASE deployment. There are no generic RFP requirements in our template, like getting the vendor details of your vendor companies. So, What Must a SASE RFP Template Include? Cato Networks has created a comprehensive, 13-page SASE RFP template, which contains all business and functional requirements for a full SASE deployment. Just download the template, fill in the relevant sections to your enterprise, and allow your short-listed vendors to fill in the remainder. While you may see some sections that are not relevant to your particular organization or use case, that's all right. It’s available for your reference, and to help you plan any future projects. A Sneak Peek at Cato’s RFP Template If you’d like a preview of Cato Networks’ SASE RFP template, we’re providing you with a high-level outline. Take a look at this "quick-guide", and then download the full SASE RFP template to put it into practice. [boxlink link="https://www.catonetworks.com/resources/sase-rfi-rfp-template/?utm_source=blog&utm_medium=top_cta&utm_campaign=sase_rfp_template"] SASE RFI/RFP Made Easy | Get the Template [/boxlink] 1. Business and IT overview You’ll describe your business and IT. Make sure to include enough details for vendors to understand your environment so they can tailor their answers to your specific needs and answer why their solution is valuable to your use case. 2. Solution Architecture Understand your proposed vendors architecture, what the architecture includes, what it does and where it is placed (branch, device, cloud.) Comprehending vendor architecture will allow you to better determine how a vendor scales, how they address failures, deliver resiliency, etc. 3. Solution Capabilities Deep dive into your proposed vendor functionalities. The idea is to select all selections relevant to your proposed SASE deployment, and have the vendor fill them out. SD-WAN Receive a thorough exploration of a proposed vendor’s SD-WAN offering, covering link management, traffic routing and QoS, voice and latency-sensitive traffic, throughput and edge devices, monitoring and reporting, site provisioning, gradual deployment / co-existence with legacy MPLS networks. Security Understand traffic encryption, threat prevention, threat detection, branch, cloud and mobile security, identity and user awareness, policy management and enforcement, as well as security management analytics and reporting. Cloud Determine vendor components needed to connect a cloud datacenter to the network, amongst other areas. Mobile (SDP / ZTNA) Understand how vendors connect a mobile user to the network, their available mobile solutions for connecting mobile users to WAN and cloud, and other key areas. Global Explore your vendor’s global traffic optimization, describe how they optime network support to mobile users, and more. 4. Support and Services Evaluate service offering and managed services. This is the perfect time to ask and understand whether your proposed vendor uses “follow-the-sun" support models and decide whether you want a self-managed, fully managed, or co-managed service. Support and Professional services Understand if vendors abide by “follow-the-sun,” support, their hours of support and more. Managed Services Get a sense of vendor managed services in several key areas. Next Steps: Get the Full SASE RFP / RFI Template Whether you’re new to SASE or a seasoned expert, successful SASE vendor selection starts with asking the right questions. When you know the correct questions to ask, it’s easy to understand if a SASE offering can meet the needs of your organization both now and in the future. Download Cato Network’s full SASE RFP / RFI Made Easy Template, to begin your SASE success story.

Cato Expands to Marseilles and Improves Resiliency Within France

Cato just announced the opening of our new PoP in Marseilles, France. Marseilles is our second PoP in France (Paris being the first) and our... Read ›
Cato Expands to Marseilles and Improves Resiliency Within France Cato just announced the opening of our new PoP in Marseilles, France. Marseilles is our second PoP in France (Paris being the first) and our 20th in EMEA. Overall, Cato SASE Cloud is comprised of 70+ PoPs worldwide, bringing Cato’s capabilities to more than 150 countries. As with all our PoPs, Marseilles isn’t just a “gateway” that secures traffic to and from the Internet. Cato PoPs are far more powerful. Like the rest of our PoPs, Marseilles will run Cato's Single Pass Cloud Engine (SPACE), Cato's converged cloud-native software. Cato SPACE provides enterprise-grade threat prevention, data protection, and global traffic optimization for East-West traffic to other Cato PoPs and North-South traffic to the Internet or the cloud. Cato SPACE sets speed records in the SASE world by processing up to 3 Gbps of traffic per site with full decryption and all security engines active at line rate. Cato SPACE is so effective and reliable, that enterprises can replace legacy MPLS networks and security appliances. The Marseilles PoP, like all of our PoPs, is equipped with multiple compute nodes running many SPACE engines. When a site’s traffic hits the Marseilles PoP, the traffic flow is immediately assigned to the most available SPACE engine. Should a SPACE engine fail within a PoP, flows are automatically processed by another SPACE instance. Should the datacenter hosting a Cato PoP fail, users and resources automatically reconnect to the next available PoP as all PoPs are equipped with enough surplus capacity to accommodate the additional load. [boxlink link="https://www.catonetworks.com/news/cato-networks-strengthens-sase-presence-in-france-with-new-point-of-presence-pop-in-marseilles/?utm_source=blog&utm_medium=top_cta&utm_campaign=marseilles_pop_pr"] Cato Networks Strengthens SASE Presence in France with New Point of Presence (PoP) in Marseilles | News Release [/boxlink] A case in point was the recent Interxion datacenter outage. The datacenter housed the London Metal Exchange and Cato's London PoP. The outage disrupted the Exchange for nearly five hours. Cato customers were also impacted – for 30 seconds – as London-connected sites, and users automatically and transparently moved over to Cato's Manchester and Dublin PoPs. In the case of Marseilles, Cato's self-healing architecture automatically and transparently moves sites and users to the next best PoP, likely the one in Paris. "Before Cato, there were outages, complaints, and negative feedback from several internal teams about the service from our major international MPLS provider," said Thomas Chejfec, Group CIO of Haulotte, a global manufacturer of materials and people lifting equipment. Haulotte moved to Cato after facing three years of delays and cost overruns, rolling out MPLS to its more than 30 offices across Western Europe, North America, South America, Africa, and Asia Pacific. "Since deploying Cato, the network is no longer a topic of discussion with users," says Chejfec. "We never hear about it anymore." Of course, delivering a great cloud platform means having great partners. Cato's complete range of networking and security capabilities are available today from numerous partners across France, including Ava6, ADVENS, Anetys, Hexanet, IMS Networks, OCD, NEOVAD, Nomios, Rampar, Sasety, and Selceon. Cato continues to work hard to deliver and grow our global network. Marseilles is our latest launch, but hardly our last. Expect us to continue adding PoPs and growing our global footprint so you can connect and secure your offices and users wherever they may be located.

How to Buy SASE: Cato Answers Network World’s 18 Essential Questions

Last December, Network World published a thoughtful guide outlining the questions IT organizations should be asking when evaluating SASE platforms. It was an essential list... Read ›
How to Buy SASE: Cato Answers Network World’s 18 Essential Questions Last December, Network World published a thoughtful guide outlining the questions IT organizations should be asking when evaluating SASE platforms. It was an essential list that should be included in any SASE evaluation. Too often, SASE is a marketing term applied to legacy point solutions, which is why we suspect these questions are even needed. By contrast, The Cato SASE Cloud is the world's first cloud-native SASE platform, converging SD-WAN and network security in the cloud. Cato Cloud connects all enterprise network resources including branch locations, the mobile workforce, and physical and cloud data centers, into a global and secure, cloud-native network service. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of security services to protect all traffic at all times.  In short, Cato provides all of the core SASE capabilities identified by NWW. We are pleased to respond point-by-point to every issue raised. You should also check out our SASE RFP template to help with the valuation. 1. Does the vendor offer all of the capabilities that are included in the definition of SASE? If not, where are the gaps? If the vendor does claim to offer all of the features, what are the strengths and weaknesses? How does the maturity of the vendor offerings mesh or clash with your own strengths, weaknesses, and priorities? In other words, if your biggest need is Zero Trust, and the vendor's strength is SD-WAN, then the fit might not be right. Yes, Cato provides all of the core capabilities NWW defines for SASE – and more. On the networking side, the Cato Global Private backbone connects 70+ PoPs worldwide. Locations automatically connect to the nearest PoP with our edge SD-WAN device, the Cato Socket. Cloud datacenters are connected via an agentless configuration, and cloud applications are connected through our cloud-optimized routing. Remote users connect in by using the Cato Mobile Client or clientless browser access.On the security side, Cato Security as a Service is a fully managed suite of enterprise-grade and agile network security capabilities, directly built into the Cato Global Private Backbone. Current security services include firewall-as-a-Service (FWaaS), secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAM), IPS-as-a-Service (IPS), and Cloud Access Security Broker (CASB), and a Managed Threat Detection and Response (MDR) service. 2. How well integrated are the multiple components that make up the SASE? Is the integration seamless? The Cato SASE Cloud is completely converged. The Cato SPACE architecture is a single software stack running in our PoPs. Enterprises manage and monitor networking, security, and access through a single application. All capabilities are available in context via a shared user interface. Objects created in one domain (such as security) are available in other domains (such as networking or remote access). (To see what we mean by seamless, check out this detailed walkthrough of the Cato Management Application.) [boxlink link="https://www.catonetworks.com/resources/5-questions-to-ask-your-sase-provider/?utm_source=blog&utm_medium=top_cta&utm_campaign=5_questions_for_sase_provider"] 5 Questions to Ask Your SASE Provider | eBook [/boxlink] 3. Assuming the vendor is still building out its SASE, what does the vendor roadmap look like? What is the vendor's approach in terms of building capabilities internally or through acquisition? What is the vendor's track record integrating past acquisitions? If building internally, what is the vendor's track record of hitting its product release deadlines? Cato has demonstrated its ability to develop and bring capabilities to market. Since its founding in 2015, Cato has successfully developed and delivered the global SASE cloud, which is used today by more than 1000 enterprises. We regularly add new services and capabilities to our platform, such as December's announcement of more than 103 frontend improvements and updates to our backend event architecture. (Other additions included a Cloud Application catalog, a Threats dashboard, an Application Analytics dashboard, CASB launch, and updates to our managed detection and response (MDR) service that automated security assessments.) 4. Whose cloud is it anyway? Does the vendor have its own global cloud, or are they partnering with someone? If so, how does that relationship work in terms of accountability, management, SLAs, troubleshooting? Cato owns and maintains the Cato SASE Cloud. The PoPs are on our hardware hosted in tier-3 datacenters, running Cato's cloud-native software stack. Every PoP is connected by at least two and many by four tier-1 carriers, who provide SLA-backed capacity. Cato's custom routing software constantly evaluates these paths identifying the shortest path for each packet. Question for MSPs Network World also included a series of questions specific to managed service providers (MSPs) that we'd like to address as well. Cato in addition to building a SASE platform is also a service provider so we took the liberty of responding to these questions as well. 1. How many PoPs do they have and where are they located? Does the vendor cloud footprint align with the location of your branch offices? The Cato Global Private backbone currently serves 140 countries worldwide from more than 70 PoPs that we continue to expand each quarter. 2. Does the vendor have the scale, bandwidth, and technical know-how to deliver line-rate traffic inspection? Thanks to our highly scalable cloud-native architectures, the Cato Cloud delivers line-rate performance regardless of whether traffic is encrypted or unencrypted or the number of security operations performed. PoPs have enough spare capacity to accommodate traffic surges. Case in point was how our Manchester PoP accommodated additional traffic during the Interxion outage. 3. For the cloud-native vendors: How can you demonstrate that your homegrown SASE tools stack up against, say, the firewall functionality from a name-brand firewall vendor? Cato can fully replace branch office firewalls and, usually, datacenter firewalls. Moreover, the convergence of capabilities allows us to deliver security capabilities and visibility impossible with legacy point solutions. For example, we can use data science and machine learning algorithms on networking data to spot security threats before they can exfiltrate data. The company was founded by security luminary Shlomo Kramer, co-founder of Checkpoint Software. It taps some of the brightest minds in cybersecurity that Israel has to offer. You're welcome to try out our platform and see for yourself. 4. Is there a risk that the vendor might be an acquisition target? As the market continues to heat up, further acquisitions seem likely, with the bigger players possibly gobbling up the cloud-native newcomers. Cato is a well-established company with well over 1,100 enterprise customers committed to serving the needs of those customers for the long term. We've raised over $500 million in venture capital resulting in a private $2.5 billion valuation. 5. For the traditional managed services powerhouses like AT&T and Verizon, do they have all the SASE capabilities, where did they get them, and how well are they integrated? What is the process for troubleshooting, SLAs, and support? Is there a single management dashboard? Cato just like any cloud service provider enables organizations to co-manage their own Cato implementation while Cato maintains the underlying infrastructure. IT teams can opt to manage infrastructure themselves, outsource a subset of responsibilities to a Cato partner, or have a Cato partner fully manage the infrastructure. There's always 24x7 support available. 6. Is there flexibility in terms of policy enforcement? In other words, can a consistent SASE security policy be applied across the entire global enterprise, and can that policy also be enforced locally depending on business policy and compliance requirements? Yes, customers apply a consistent security policy across the enterprise. In fact, enterprises have full control over their security policies. We instantiate the most commonly used security policies at startup, so most customers require little or no changes. The policy set is instantly applied across the global enterprise or to a specific site or user depending on requirements. Enterprises can, of course, add/change policies as necessary. 7. Even if enforcement nodes are localized, is there a SASE management control plane that enables centralized administration? This administrative interface should allow security and network policy to be managed from a single console and applied regardless of the location of the user, the application, or the data. Cato provides centralized administration via our management application. Both security and network policies are managed from the same interface for all Cato-connected users and resources, whether they exist in the office, on the road, at home, or in the cloud. 8. How is sensitive data handled? What are the capabilities in terms of visibility, control and extra protection? Cato encrypts and protects all data in transit and at rest within the Cato network. Designated applications or data flows that contain sensitive information can also remain encrypted if required in a way that bypasses Cato inspection engines. 9. Is policy enforced consistently across all types of remote access to enterprise resources, whether those resources live in the public internet, in a SaaS application, or in an enterprise app that lives on-premises or in an IaaS setting? Part of what makes Cato unique is that all inspection engines and network capabilities operate on both northbound traffic to the Internet or east-west traffic to other Cato-connected resources. Our CASB, for example, inspects all Internet and cloud-based traffic. Security capabilities continue to perform well on East-West traffic regardless of the user's location due to the Cato global private backbone and our distributed cloud architecture. 10. Is policy enforced consistently for all possible access scenarios--individual end users accessing resources from a home office or a remote location, groups of users at a branch office, as well as edge devices, both managed and unmanaged? Cato uses a single policy set for all access scenarios. 11. Is the network able to conduct single-pass inspection of encrypted traffic at line rate? Since the promise of SASE is that it combines multiple security and policy enforcement processes, including special treatment of sensitive data, all of that traffic inspection has to be conducted at line speed in a single pass in order to provide the user experience that customers demand. Cato uses a single-pass inspection engine that can operate at line rate even on encrypted traffic. Thousands of Cato SPACEs enable the Cato SASE Cloud to deliver the full set of networking and security capabilities to any user or application, anywhere in the world at cloud scale using a service that is both self-healing and self-maintaining. 12. Is the SASE service scalable, elastic, resilient, and available across multiple PoPs? Be sure to pin the service provider down on contractually enforced SLAs. The Cato SASE Cloud is a fully distributed, self-healing service, that includes many tiers of redundancies. If the core processing a flow fails, the flow will be handled by one of the other cores in the compute node. Should a compute node fail, other compute nodes in the Cato PoP assume the operation. Should the PoP become inaccessible, Cato has 70+ other PoPs available that enable users to automatically reconnect to the next best available PoP. Enterprises do not need to do any high availability (HA) planning that is typically required when relying on virtual appliances to deliver SASE services. We have 99.999% uptime SLAs with our carriers. Should one of the tier-1 carriers connecting our PoPs experience an outage or slowdown, Cato's routing software detects the change and automatically selects the next best path from one of two other carriers connecting our PoPs. Should the entire Cato backbone -- that's right all 70+ PoPs somehow disappear, one day -- Cato Sockets will automatically bring up a peer-to-peer network. 13. One of the key concepts of zero trust is that end-user behavior should be monitored throughout the session and actions taken to limit or deny access if the end user engages in behavior that violates policy. Can the SASE enforce those types of actions in real time? Cato inspects device posture first upon connecting to the network, ensuring the device meets predefined policy requirements and then continues to monitor the device once connected. Should a key variable change, such as an anti-malware engine expire, the device can be blocked from the network or provided limited access depending on corporate requirements. As users connect to cloud application resources, Cato inspects traffic flows. Dozens of actions within applications can be blocked, enabled, or otherwise monitored and reported, such as uploading files or giving write access to key applications. 14. Will the SASE deliver a transparent and simplified end user experience that is the same regardless of location, device, OS, browser, etc.? The Cato experience remains consistent regardless of operating system. Mobile users can be given clientless access or client-based access with the Cato Mobile Client. The Cato Mobile Client is available for all major enterprise platforms including Windows, macOS, Android (also supported for ChromeOS), iOS, and Linux. Users within the locations connected by Cato Sockets, Cato's edge SD-WAN device, log into their network as usual with no change. Once connected to the Cato SASE Cloud, all security inspection is done locally at the connected PoP, eliminating the traffic backhaul that so often degrades the performance of mobile users situated far from their offices. The Cato Global Private Backbone uses optimized routing to minimize latency and WAN optimization to maximize throughput. The result is a remote user experience that's as close as possible to being inside the office. Other Questions to Explore We applaud Network World for raising these issues. Some other questions we might encourage IT teams to ask MSPs include: High Availability (HA): Take a close look at how HA is delivered by the vendor. What's the additional cost involved with deploying the secondary appliance? How are the SD-WAN devices configured and deployed? With most enteprises, HA has become the defacto edge configuration to ensure the high uptime they're looking for particularly when replacing MPLS. What happens when there is a lockup rather than just an outage, will the system failover properly? What about the underlying memory, storage, and server system underpinning what are often virtual appliances? What happens if the PoP itself becomes inaccessible? The list goes on. The secure Cato SASE platform is based on a fully distributed self-healing network built for the cloud era that we manage 24/7 on behalf of our customers. Anything less than that from our perspective simply isn't SASE.

IT Managers: Read This Before Leaving Your MPLS Provider

Maybe you’re an IT manager or a network engineer. It’s about a year before your MPLS contract expires, and you’ve been told to cut costs... Read ›
IT Managers: Read This Before Leaving Your MPLS Provider Maybe you’re an IT manager or a network engineer. It’s about a year before your MPLS contract expires, and you’ve been told to cut costs by your CFO. “That MPLS – too expensive. Find an alternative.” This couldn’t have come at a better time... Employees have been blowing up the helpdesk, complaining about slow internet, laggy Zoom calls and demos that disconnect with prospects. Naturally, it’s your job to find a solution... There actually could be several reasons why it’s time to pull the plug on your MPLS, or at least, consider MPLS alternatives. 1. Get crystal clear on your WAN challenges: Do any of these challenges sound familiar? A. You’ve been told to cut costs It’s no secret that MPLS circuits cost a fortune – often 3-4x the price of MPLS alternatives (like SD-WAN,) for only a fraction of the bandwidth. But the bottom line isn’t the only factor to take into consideration. Lengthy lead-times for site installations (weeks to months,) upgrades, and never-ending rounds of support tickets must all factor into the TCO of your MPLS. In short, MPLS is no longer competitively priced for today’s enterprise that needs to move at the speed of business. B. Employees constantly complain about performance While traditional hub-and-spoke networking topology comes with its advantages, when users backhaul to the data center they clog the network with bandwidth-heavy applications like VOIP and file transfer. Multiplied by hundreds or thousands of simultaneous users and you choke your network, creating performance problems which IT is tasked to solve. Wouldn’t it be nice if IT was free to solve business-critical issues instead of recurring network performance issues? [boxlink link="https://www.catonetworks.com/resources/what-telcos-wont-tell-you-about-mpls/?utm_source=blog&utm_medium=top_cta&utm_campaign=wont_tell_you_about_mpls"] What Others Won’t Tell You About MPLS | EBOOK [/boxlink] C. You’re “going cloud” and migrating from on-prem to cloud DCs and apps Migrating from on-prem legacy applications to cloud isn’t generally an “if” but a “when” statement. And the traditional hub-and-spoke networking architecture creates too much latency on cloud applications when the goal is ultimately improved network performance. Additionally, optimizing and securing branch-to-cloud and user-to-cloud access can’t be done efficiently with physical infrastructure, instead of requiring advanced cloud-delivered cybersecurity solutions like SWG, FWaaS and CASB. D. IT now needs to support work from anywhere, with no downtime Prior to COVID, work from anywhere was more the exception, rather than a rule. In the “new normal,” enterprises need to the infrastructure to support work from the branch, home, and everywhere else. Traditional remote-access VPNs weren’t designed to support hundreds, or thousands of users simultaneously connecting to the network, while supporting an optimum security posture, like ZTNA can. So, should you stay with MPLS or should you go? Ultimately, it’s time to decide whether to stick with your incumbent MPLS provider or consider the alternatives to MPLS... Whether it’s cost, digitization, performance or secure remote access - is your MPLS “good enough” to support today’s hassles and headaches (not to mention tomorrows?) 2. You’ve decided to look for MPLS alternatives: Do all roads lead to SD-WAN? You’ve decided that your MPLS isn’t all it's cracked up to be. Now what? While an SD-WAN solution seems like the natural choice, SD-WAN only addresses some of the challenges that you’ll inevitably face at a growing enterprise. True, SD-WAN will lower the bill and optimize spend by leveraging internet circuits’ massive capacity and availability everywhere. However, SD-WAN was designed to optimize performance for site-to-site connectivity, with architecture that isn’t designed to support remote users and clouds. Additionally, SD-WAN's security is basic at best, lacking the advanced control and prevention capabilities that enterprises need to secure all clouds, datacenters, branches, users and, appliances. Not to mention, adding SD-WAN to existing appliance sprawl is only going to further complicate your network management, adding more products to administrate, and more hassle surrounding appliance sizing, scaling, distribution, patching and upkeep. And who needs that headache? So, how do you solve all the above four challenges, while upgrading your networks and achieving an optimal security posture that allows your enterprise to grow, scale, adjust and stay prepared for “whatever’s next”? 3. Ever Heard of SASE? No, SASE isn’t just a buzzword or industry hype. It’s the next era of networking and security architecture which doesn’t focus on adding more features to the complicated pile of point solutions, but targets “operational simplicity, automation, reliability and flexible business models,” (Gartner, Strategic roadmap for networking, 2019.) According to Gartner, for a solution to be SASE, it must “converge a number of disparate network and network security services including SD-WAN, secure web gateway, CASB, SDP, DNS protection and FWaaS,” (Gartner, Hype Cycle for Enterprise Networking 2019.) Gartner is extremely clear that these requirements aren’t just “nice-to-have,” but non-negotiables; the solution must be converged, cloud-native, global, support all edges, and offer unified management. SASE actually combines SD-WAN and security-as-a-service, managed via a single cloud service, which is globally distributed, automatically scaled, and always updated. So, instead of opting for more network complexity with SD-WAN, plus all the setup, management, sizing, and scaling challenges that come with it – why not consider SASE? It’s time to think strategically: Move beyond the limitations of SD-WAN No matter if you need to solve one, two, three or all four of the above WAN challenges, SD-WAN is a short-sighted point solution to any long-term organizational challenge. This means that only a SASE solution with an integrated SD-WAN which includes a global-private backbone (over costly long-haul MPLS,) ZTNA (to serve remote access users and replace legacy VPN) and secure cloud access (which allows you to migrate to the cloud,) allows you to successfully grow the business while maintaining your sanity. If you’re interested in replacing your MPLS beyond the limits of short-sighted solutions like SD-WAN, then you’ll love Cato SASE Cloud. Check out this Cato SASE E-book to understand: Why point products like SD-WAN won’t solve long-term architectural problems What you need to look for in a SASE solution Why Cato is the only true SASE solution in enterprise networking and security

Eye-Opening Results from Forrester’s Cato SASE Total Economic Impact Report

We’ve been touting the real-world benefits of Cato SASE on our Web site and in seminars, case studies, and solution briefs since the company was... Read ›
Eye-Opening Results from Forrester’s Cato SASE Total Economic Impact Report We’ve been touting the real-world benefits of Cato SASE on our Web site and in seminars, case studies, and solution briefs since the company was founded, but how do those benefits translate into hard numbers? We decided it was time to quantify Cato SASE’s real-world financial benefit with a recognized, well-structured methodology, so we commissioned a Total Economic Impact (TEI) study with the consulting arm of the leading analyst firm Forrester. Forrester interviewed several Cato customers in-depth and used its proprietary TEI methodology to come up with numbers for investment impact, benefits, costs, flexibility, and risks. More on this later. The results were impressive. According to Forrester, Cato’s ROI came out to 246% over three years with total savings of $4.33 million net present value (NPV) and a payback of the initial investment in under six months. Those numbers don’t include additional savings from less tangible benefits such as risk reduction. The $4.33 million NPV savings break down this way: $3.8 million savings in reduced operations and maintenance $44,000 savings in reduced time to configure Cato at new sites $2.2 million savings from retiring all the systems replaced by Cato Networks Investment of $1.76 million over three years $6.09 million – $1.76 million = $4.33 million NPV. Numbers Are Only Half the Story The numbers are certainly impressive, but some of the unquantified benefits the report picked up were perhaps even more enlightening: Improved employee morale: Team members reported that the activities they were able to shift to after switching to Cato—optimizing systems, for example--were considerably more rewarding than the more mundane activities of setting up, updating, and managing a lot of equipment before Cato. Consistent security rules: Deploying Cato revealed a lot of inconsistencies in organizations’ governing and securing of network traffic across different sites. The Cato SASE Cloud was able to quickly consolidate all that mess into a single global set of rules, with an obvious positive impact on both security and management. Reduced time and transit costs: Cato equipment moves through customs without delay or assessments of value-added tax (VAT). This is because Cato Sockets are very simple devices that simply direct traffic to our cloud, where most of the complex encryption and other technologies lie. Better application performance: We expected this result, which comes from improved network performance. Overall, respondents describe a transformative, before/after experience. [boxlink link="https://www.catonetworks.com/resources/the-total-economic-impact-of-cato-networks/?utm_source=blog&utm_medium=top_cta&utm_campaign=tei_report"] The Total Economic Impact™ of Cato Networks | Report [/boxlink] Before Cato, the organizations had to dedicate separate teams to the costly, time-consuming complexities of managing VPNs, Internet, WAN, and other functions, including spending a lot of time and resources deploying updates at each individual site. Adding new sites was a complex time-consuming process. All that mundane work made it difficult to execute the corporate digital transformation strategy. As one technology director said about why he turned to Cato, “My goal was, I don’t want my team worrying about how to get a packet from A to B. I’m interested in Layer 7 of the network stack. I want to know: Are applications behaving the way they should? Are people getting the performance they should? Are we secure? You don’t have time to answer that if you’re worried about getting it from A to B.” After Cato, all of the updates and most of the management were simply delegated to the Cato SASE Cloud. All the remaining network and security oversight required by the customer could be accomplished through a single Cato dashboard. This allowed organizations to redirect all those “before” resources to value-added activities such as system optimization, onboarding new acquisitions, and fast deployment of new sites. The resulting employee satisfaction benefits were substantial. As a technology director said, “What I heard from my team is, ‘I love that the problems I’m solving on a day-to-day basis are on a completely different order than what I used to have to deal with before.’ They think about complex traffic problems and application troubleshooting and performance.” Setting up new sites was also vastly easier with Cato, as one IT manager said. “Honestly I was shocked to see how easy it was to set up and maintain an SD-WAN solution based on the whole Cato dashboard. Now there’s a saying that with [unnamed previous solution] you need 10 engineers to set it up and 20 engineers to keep it running. With Cato this all went away.” How Forrester Got The Numbers Forrester’s findings were the result of in-depth interviews with five decision-makers whose organizations are Cato customers. Forrester compared data based on their experiences prior to deploying Cato with a composite organizational model of a “vanilla” customer. The description of the five decision-makers is in the table below. The report describes the composite organization that is representative of the five decision-makers that Forrester interviewed and is used to present the aggregate financial analysis in the next section. The global company is headquartered in the U.S. with 40 sites across the U.S., Europe, and the Asia Pacific region growing to 61 by year three. It also has two on-premises and two cloud datacenters in the U.S, one on-premises and two cloud-based datacenters in Europe, and two cloud-based datacenters in Asia Pacific. Year one remote users total 1,500 growing to 2,100 by year three. Forrester then used its proprietary TEI methodology to construct a financial model with risk-adjusted numbers. The TEI modeling fundamentals included investment impact, benefits, costs, flexibility, and risks. Some of the more dramatic savings numbers came in operations and maintenance: The organization was able to redirect 10 full-time employees (FTEs) from operations and maintenance to more value-adding activities in year one. By year three it avoided having to hire 12 more FTEs that would have had to manage the previous solution. The average fully loaded annual compensation for a single full-time data engineer is $148,500. Lots of savings also came from retired systems, including the traditional edge router, perimeter next-generation firewall appliances, intrusion detection and prevention systems, and SD-WAN. And then there were benefits from Cato’s remote access flexibility. As one IT team manager said, “When COVID hit we were able to add the entire company to the VPN and provide them the ability to work from home in a matter of days. That was amazing.” (Follow the link to read more about Cato’s approach to secure remote access). I could go on but take a look for yourself. There’s a lot more juicy data in the report and it’s pretty surprising at times and not a difficult read. You can access The Total Economic Impact™ of Cato Networks report following the link.    

Making Site Support a Bit Easier. Meet the Diagnostic Toolbox in Your Cato Socket

One of the more frustrating aspects of more users working from home, and remote connectivity in general, is that troubleshooting often requires user involvement at... Read ›
Making Site Support a Bit Easier. Meet the Diagnostic Toolbox in Your Cato Socket One of the more frustrating aspects of more users working from home, and remote connectivity in general, is that troubleshooting often requires user involvement at a really bad time. Users are complaining about connection issues, and just when they're frustrated, you need them to be patient enough to walk through them the troubleshooting steps needed to diagnose the problem. Wouldn’t it have been better if you had tools already in place before a problem occurs? Then you could run your testing without involving the user. Well, now you do. We’ve added an IT toolbox to our Cato Socket, Cato’s SD-WAN device. Embedded in the Socket Web UI is a single interface through which network administrators can test and troubleshoot remote connectivity without involving the end-user. Ping, Traceroute, Speedtest, and iPerf are already available, instantly, through a common interface and without any user involvement. [caption id="attachment_23495" align="alignnone" width="1699"] The IT toolbox within the Cato Socket UI provides a range of tools for IT to diagnose last-mile connections from a single web interface[/caption]   [boxlink link="https://www.catonetworks.com/resources/socket-short-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=short_socket_demo"] Cato Demo: From Legacy to SASE in Under 2 Minutes With Cato Sockets [/boxlink] Of course, those are not the only troubleshooting tools provided in Cato SASE Cloud. Cato was built from the philosophy that network troubleshooting is a team sport. While Cato Networks engineers maintain the Cato private backbone for 99.999% uptime, Cato users can manage and run the network themselves. They don’t have to open support tickets for changes they can just as easily address independently. Cato provides the tools for doing just that. Numerous dashboards report on packet loss, latency, jitter, and real-time status help IT diagnose problems once users are connected to Cato. [caption id="attachment_23497" align="alignnone" width="2113"] Cato includes dynamic dashboards reports on last-mile packet loss, latency, jitter, throughput and more for upstream and downstream connections.[/caption]   Our event discovery capability provides any IT team with advanced research and analytics tools to query a data warehouse that we curate and maintain. It organizes more than 100 types of security, connectivity, system, routing, and Socket management events into a single timeline that can be easily queried. Complex queries can be easily built by selecting from the types and sub-types of events to compare the test data being collected via tool access using Socket Web UI against what has previously occurred on that network connection. [caption id="attachment_23499" align="alignnone" width="1920"] With Events, Cato converges networking and security events into a single timeline, simplifying the troubleshooting process.[/caption]   Remote troubleshooting has always been a challenge for IT. With remote offices and more users working from home that challenge will only grow. Having the diagnostic tools in place before problems occur goes a long way to improving IT satisfaction.    

Moving Beyond Remote Access VPNs

The COVID-19 pandemic drove rapid, widespread adoption of remote work. Just a few years ago, many organizations considered remote work inefficient or completely impossible for... Read ›
Moving Beyond Remote Access VPNs The COVID-19 pandemic drove rapid, widespread adoption of remote work. Just a few years ago, many organizations considered remote work inefficient or completely impossible for their industry and business. With the pandemic, remote work was proven to not only work but work well. However, this rapid shift to remote work left little time to redesign and invest in remote work infrastructure and raised serious information security concerns. As a result, many companies attempted to meet the needs of their remote workforce via remote access VPNs with varying levels of success. This is part of a guide series about Access Management. What is a Remote Access VPN and How Does it Work? A remote access virtual private network (VPN) is a solution designed to securely connect a remote user to the enterprise network. A remote access VPN creates an encrypted tunnel between a remote worker and the enterprise network. This allows traffic to be sent securely between these parties over untrusted public networks. VPNs in general are designed to create an encrypted tunnel between two points. Before sending any data over the connection, the two VPN endpoints perform a handshake that allows them to securely generate a shared secret key. Each endpoint of the VPN connection will use this shared encryption key to encrypt the traffic sent to the other endpoint and decrypt traffic sent to them. This creates the VPN tunnel that allows traffic to be sent over a public network without the risk of eavesdropping. In the case of a remote access VPN, one end of the VPN connection is a VPN appliance or concentrator on the enterprise network and the other is a remote worker’s computer. Both sides will perform the handshake and handle the encryption and decryption of all data on the VPN connection, and a user will have access to resources similar to if they were in the office. Why Companies Need to Move Beyond Remote Access VPNs The reason why Remote access VPNs were widely adopted in the wake of COVID-19 was because companies had existing VPN infrastructure and were simply comfortable with the technology. However, these VPN solutions have numerous limitations, including: Continuous Usage: Corporate VPN infrastructure was originally designed to occasionally connect a small percentage of the workforce to the enterprise network and resources. With the need to support continuous remote work for most or all of the organization’s employees, remote access VPNs no longer meet business requirements. Limited Scalability of VPNs: Existing VPN infrastructure was not built to support the entire workforce, making it necessary to scale to meet demand. Attempting to solve this issue using additional VPN appliances or concentrators increases the complexity of the enterprise network and requires additional investment in security appliances as well. Lack of Integrated Security: A remote access VPN is designed to provide an encrypted connection between a remote worker and enterprise systems. It does not include the enterprise-grade security inspection and monitoring that is necessary to protect against modern cyber threats. Relying on remote access VPNs forces companies to invest in additional, standalone security solutions to secure their VPN infrastructure. Security Granularity: A remote access VPN provides access similar to a direct connection to the enterprise network. These VPNs provide unrestricted access to enterprise resources in violation of the principles of least privilege and zero-trust security. As a result, a compromised account can provide an attacker with far-reaching access and enables the unrestricted spread of malware. Performance and Availability: VPN traffic travels over the public Internet, meaning that its performance and availability depend on that of the underlying Internet. Packet loss and jitter are common on the Internet, and latency and availability issues can have a significant impact on the productivity of a remote workforce reliant on remote VPNs for connectivity. Geographic Limitations: VPNs are designed to provide point-to-point connectivity between two locations. As companies become more distributed and reliant on cloud-based infrastructure, using VPNs for remote access creates complex VPN infrastructure or inefficient traffic routing. Remote access VPNs were a workable secure remote access solution when a small number of employees required occasional remote connectivity to the enterprise network. As telework becomes widespread and corporate networks become more complex, remote access VPNs no longer meet enterprise needs. Enterprise Solutions for Secure Remote Access VPNs are the oldest and best-known solution for secure remote access, but this certainly doesn’t mean that they are the best available solution. The numerous limitations and disadvantages of VPNs make them ill-suited to the modern, distributed enterprise that needs to support a mostly or wholly remote workforce. Today, VPNs are not the only option for enterprise secure remote access. Gartner has coined the term Secure Access Service Edge (SASE) to describe cloud-native solutions that integrate SD-WAN functionality with a full security stack. Zero trust network access (ZTNA) is one of the security solutions integrated into SASE and serves as a superior alternative to the remote access VPN. Some of the advantages of replacing remote access VPNs with SASE include: Scalability and Flexibility: SASE is built using a network of geographically distributed, cloud-based Points of Presence (PoPs). This enables the SASE network to seamlessly scale to meet demand without the need to deploy additional VPN and security appliances. Availability and Redundancy: SASE nodes are built to be redundant and to identify the best available path to traffic’s destination. This offers much higher availability and resiliency and eliminates the single points of failure of VPN-based remote access infrastructure. Private Backbone: SASE PoPs are connected via a secure private backbone. This enables it to provide performance and availability guarantees that are not possible for Internet-based VPNs. Integrated Security: In addition to ZTNA, which enforces zero-trust access controls, SASE PoPs integrate a full stack of network security solutions. This enables them to provide enterprise-grade security without the need for additional standalone security solutions, inefficient routing, or security chokepoints. If you’re looking to deploy or upgrade your organization’s secure remote access infrastructure, a remote access VPN is likely not the right answer. Cato’s SASE-based remote access service provides all of the benefits of a VPN with none of the downsides. To learn more about SASE and how it can work for your business, contact us here. See Additional Guides on Key Access Management Topics Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of access management. Network Topology MappingNetwork Topology Mapping 101: The Categories, Types, and TechniquesWhat is Microsegmentation? How Network Microsegmentation Can Protect Data CentersABACABAC (Attribute-Based Access Control): A Complete Guide RBAC vs ABAC. Or maybe NGAC? AWS ABAC: ExplainedRBACWhat Is Role-Based Access Control (RBAC)? A Complete Guide Role Based Access Control Best Practices You Must Know RBAC in Azure: A Practical Guide

What is Network-as-a-Service and Why WAN Transformation Needs NaaS and SASE

The networking industry loves a good buzzword as much as any other IT sector. Network-as-a-Service (NaaS) certainly fits that billing. The term has been around... Read ›
What is Network-as-a-Service and Why WAN Transformation Needs NaaS and SASE The networking industry loves a good buzzword as much as any other IT sector. Network-as-a-Service (NaaS) certainly fits that billing. The term has been around for at least a decade has come back in vogue to describe networking purchased on a subscription basis. But what’s particularly interesting for anyone moving away from a global MPLS network or otherwise looking at WAN transformation is the impact NaaS will have on evolving the enterprise backbone. For all of its talk, SASE as understood by much of the industry, will not completely replace a global MPLS network; the Internet is simply too unpredictable for that. Only by converging SASE with NaaS can companies eliminate costly, legacy MPLS services. What is NaaS (Network-as-a-Service) Exactly what constitutes a NaaS is open to some debate. All agree that NaaS offerings allow enterprises to consume networking on a subscription basis without having to deploy any hardware. According to a recent Network World article, IDC’s senior research analyst Brandon Butler wrote in a recent whitepaper "NaaS models are inclusive of integrated hardware, software, licenses and support services delivered in a flexible consumption or subscription-based offering.” Cisco in its recent report flushed that out a bit further defining NaaS as “a cloud-enabled, usage-based consumption model that allows users to acquire and orchestrate network capabilities without owning, building, or maintaining their own infrastructure,” writes industry analyst, Tom Nolle. Gartner identifies the specific attributes of a cloud service. According to Gartner’s Andrew Lerner, “NaaS is a delivery model for networking products. NaaS offerings deliver network functionality as a service, which include the following capabilities: elf-service capability on-demand usage, Ability to scale up and down. billed on an opex model consumption-based, via a metered metric (such as ports, bandwidth or users), (not based on network devices/appliances). NaaS offerings may include elements such as network switches, routers, gateways and firewalls.” For those running datacenter networks, Network World reports NaaS offerings will allow them to purchase compute, networking, and storage components configured through an API and controlled by a common management package. (Personally, I find the focus on the appliance form factor a reflection of legacy thinking. Gartner’s view of a consumption-based model based on bandwidth or users, not appliances, I think to be more accurate but let’s leave that aside for the comment.) But for those involved in the WAN, NaaS is also increasingly coming to describe a new kind of backbone, one that’s programmable, sold on a subscription basis, and designed for the cloud. “I see NaaS as a way to describe agile, programmable backbones and interconnections in a hybrid, multi-cloud architecture,” wrote Shamus McGillicuddy, vice president of network management research at Enterprise Management Associates in an email. [boxlink link="https://www.catonetworks.com/resources/terminate-your-mpls-contract-early-heres-how/?utm_source=blog&utm_medium=top_cta&utm_campaign=terminate_mpls_ebook"] Terminate Your MPLS Contract Early | Here’s How [/boxlink] NaaS Must Meet SASE But here’s the thing, with the proliferation of threats any networking service cannot be divorced from security policy enforcement and threat prevention. It’s why SASE has emerged to be such a dominant force. The convergence of SD-WAN with four areas of security -- NGFW, SWG, CASB, and ZTNA – enables enterprises to extend security policies everywhere will also being more effective and more efficient. (Just check out what our customers say if you want first-hand proof.) But SASE alone can’t replace MPLS. Converging SD-WAN and security still doesn’t address the need for a predictable, efficient global backbone. And the public Internet is far too unpredictable, too inefficient to support the global enterprise. What’s needed is to converge SASE with a backbone NaaS – a global private backbone delivered on subscription basis. Cato: The Global SASE Platform That Includes NaaS The Cato SASE Cloud is the only SASE platform that operates across its own global private backbone, providing SASE and backbone NaaS in one. With the Cato SASE platform, enterprises not only converge security with SD-WAN, but they also get predictable, optimized global connectivity. “Cato Networks operates its own security network as a service (NaaS) providing a range of security services including SWG, FWaaS, VPN, and MDR from its own cloud-based network,” writes Futuriom in its “Cloud Secure Edge and SASE Trends Report.” (Click on the link to download the report for free) The Cato private backbone is a global, geographically distributed, SLA-backed network of 65+ PoPs, interconnected by multiple tier-1 carriers. Each PoP run Cato’s cloud-native software stack that along with security convergence provides global routing optimization and WAN optimization for maximum end-to-end throughput. Our software continuously monitors network services for latency, packet loss, and jitter to determine, in real-time, the best route for sending every network packet. In fact, according to independent testing, is the only backbone NaaS in the world to include WAN optimization and, as a result, increases iPerf throughput 10x-20x over what you’d expect to see with MPLS or Internet. The backbone is fully encrypted for maximum security and self-healing for maximum uptime. The Cato Socket, Cato’s edge SD-WAN device, automatically connects to the nearest Cato PoP. All outbound site traffic is sent to the PoP. Policies then direct Internet traffic out to the Internet and the rest across the Cato backbone. SASE and NaaS Better Together Converging SASE and backbone NaaS together also offers unique advantages compared to keeping the two separate. Deployment becomes incredibly quick. Customers can often bring up new locations on Cato -- complete with SD-WAN, routing policies, access policies, malware protection rules, and global backbone connections – in under two hours and without expert IT assistance. Convergence also allows for deeper insights. Cato captures and stores the metadata of every traffic flow from every user across its global private backbone in a massive data lake. This incredible resource enables Cato engineers to do all sorts of “what if” analysis, which would otherwise be impossible. One practical example – the Cato Event screen, which displayed all connectivity, routing, security, system, and Socket management events on one queryable timeline for the past year. Suddenly it becomes very simple to see why users might be having a problem. Was it a last-mile issue? A permissions issue caused by a reconfigured firewall rule? Something else? Identifying root cause becomes much quicker and simpler when you have a single, holistic view of your infrastructure. [caption id="attachment_21441" align="alignnone" width="1920"] Converging the backbone, SD-WAN, and security into one service enables all events to be presented in a single screen for easy troubleshooting. [/caption] WAN Transformation That Makes Sense In short, converging NaaS and SASE together results in better WAN transformation, one that reduces cost, simplifies security, and improves performance all without compromising on the predictability and reliability enterprises expect from their networks. Hard to believe? Yeah, we get that. It’s why we’ve been called the “Apple of networking.” But don’t take our word for it. Take us for test drive and see for yourself. We can usually get a POC set up in minutes and hours not days. But that shouldn’t be a surprise. We’re an “as a service” after all.    

Independent Compliance and Security Assessment – Two Additions to the All-New Cato Management Application

If a picture tells a thousand words, then a new user interface tells a million. The new Cato Management Application that we announced today certainly... Read ›
Independent Compliance and Security Assessment – Two Additions to the All-New Cato Management Application If a picture tells a thousand words, then a new user interface tells a million. The new Cato Management Application that we announced today certainly brings a scalable, powerful interface. But it’s far more than just another pretty face. It’s a complete restructuring of the backend event architecture and a new frontend with more than 103 improvements. New dashboards and capabilities can be found throughout the platform. We improved cloud insight with a new advanced cloud catalog. New independent conformance testing for regulatory compliance and security capabilities is, I think, a first in the industry. We enhanced security reporting with an all-new threats dashboard and opened up application performance with another new dashboard. Let’s take a closer look at some of these changes. New Topology View and a New Backend The top-level topology view has been redesigned to accommodate deployments of thousands of sites and tens of thousands of users. But in the new Management Application, we’ve enabled customization of the top-level view, enabling you to decide how much detail to show across all edges — sites, remote users, and cloud assets — connected to and are secured by Cato SASE Cloud (see Figure 1).   [caption id="attachment_20988" align="alignnone" width="1024"] Figure 1 Cato’s new Management Application lets enterprises continue to manage their network, security, and access infrastructure from a common interface (1). The new front-end is completely customizable and can surface the providers (2) connecting sites and remote users. You can easily identify problematic sites (3) and drill down into a user or location’s stats at a click (4). [/caption] Behind the Cato Management Application is a completely rearchitected backend. Improved query analytics for site metrics and events makes the process more efficient and the interface more responsive even with customer environments generating over 2 billion events per day. A new event pipeline increases the event retrieval volume while allowing NetOps and NetSecOps to be more specific and export just the necessary events. [boxlink link="https://www.catonetworks.com/resources/management-application-walkthrough/"] Cato Management Application [30 min Walkthrough] | Take the Tour [/boxlink] Independent Compliance Rating Revolutionizes Compliance and Security Verification A new cloud application catalog has been introduced with 5000 of the most common enterprise applications. For each application, the catalog includes a detailed description of the target app automatically generated by a proprietary data mining service and an independently verified risk score (see Figure 2). [caption id="attachment_20990" align="alignnone" width="1920"] Figure 2: The new Cloud Apps Catalog contains more than 5000 applications with an overall risk score[/caption] The risk score is based on Cato’s automated and independent assessment of the cloud application’s compliance levels and security capabilities. Using the massive data lake we maintain of the metadata from every flow crossing Cato’s Global Private Backbone, machine learning algorithms automatically check an application’s claimed regulatory compliance and security features. Currently, Cato regulatory compliance verification includes HIPAA, PCI, and SOC 1-3. Security feature verification includes MFA, encryption of data at rest, and SSO (see Figure 3). [caption id="attachment_20992" align="alignnone" width="1660"] Figure 3: Cato independently verifies the application’s conformance with regulations and security features[/caption] New Threat Dashboard Identifies Key Threats Across the Enterprise [caption id="attachment_21022" align="alignnone" width="1919"] Figure 4: The new Threat Dashboard provides a snapshot of threats across enterprise security infrastructure for assessing the company’s Shadow IT position[/caption] The new Threat Dashboard summarizes the insights drawn from Cato’s Managed IPS, FWaaS, SWG, and Anti-Malware services. Through a single dashboard, security teams can see the top threats across the enterprise. A dynamic, drill-down timeline allows security teams to gather more insight. Top hosts and users identify the impacted individuals and endpoints (Figure 4). New Application Dashboard Provides Snapshot of Usage Analytics With the new Application Dashboard, you gain an overall view of your enterprise application analytics. Administrators can easily understand current and historical bandwidth consumption and flow generation by combinations of sites, users, applications, domains, and categories (Figure 5). [caption id="attachment_20996" align="alignnone" width="1442"] Figure 5: The new Application Analytics dashboard provides an overview of an application usage that can be easily segmented by combinations of multiple dimensions. In this case, application consumption is shown for each user at a particular site.[/caption] The Cato Management Application is currently available at no additional charge. To learn more about the management platform, click here or check out this 30 min walkthrough video. You can also contact us for a personal demo.    

New Insight Into SASE from the Recent Gartner® Report on Impact Radar: Communications

In the recent Emerging Technologies and Trends Impact Radar: Communications,1 Gartner expanded our understanding of what it means to be a SASE platform. The Gartner... Read ›
New Insight Into SASE from the Recent Gartner® Report on Impact Radar: Communications In the recent Emerging Technologies and Trends Impact Radar: Communications,1 Gartner expanded our understanding of what it means to be a SASE platform. The Gartner report states, “While the list of individual capabilities continues to evolve and differ between vendors, serving those capabilities from the cloud edge is non-negotiable and fundamental to SASE. There are components of SASE, such as some of the networking features with SD-WAN, that reside on-premises, but everything that can be served from cloud edge should be. A solution with all of the SASE functions integrated into a single on-premises appliance is not a SASE solution.” To learn more, check out this excerpt of the SASE text from the report: Secure Access Service Edge (SASE) Analysis by: Nat Smith Description: Secure access service edge (SASE, pronounced “sassy”) delivers multiple converged network and security as a service capabilities, such as SD-WAN, secure web gateway (SWG), cloud access security broker (CASB), firewall, and zero trust network access (ZTNA). SASE supports branch office, remote worker and on-premises general internet security use cases. SASE is primarily delivered as a service and enables dynamic zero trust access based on the identity of the device or entity, combined with real-time context and security and compliance policies. SASE is evolving from five contributing security and network segments: software-defined wide-area network (SD-WAN), firewall, SWG, CASB and ZTNA. The consolidation of offerings into a single SASE market continues to increase buyer interest and demand. Several vendors offer completely integrated solutions already, and many vendors offer intermediary steps, usually consolidating five products into two. Consolidation and integration of capabilities is one of the main drivers for buyers moving to SASE. This is more important than best-of-breed capabilities for the moment, but that will change as consolidated, single-vendor solutions become more mature. While the list of individual capabilities continues to evolve and differ between vendors, serving those capabilities from the cloud edge is non-negotiable and fundamental to SASE. There are components of SASE, such as some of the networking features with SDWAN, that reside on-premises, but everything that can be served from cloud edge should be. A solution with all of the SASE functions integrated into a single on-premises appliance is not a SASE solution. [boxlink link="https://catonetworks.easywebinar.live/registration-77?utm_source=blog&utm_medium=top_cta&utm_campaign=strategic_roadmap_webinar"] Strategic Roadmap for SASE | Watch Now [/boxlink] Range: 1 to 3 Years Even though some vendors are not implementing all portions of SASE on their own today, Gartner estimates SASE is about one to three years away from early majority adoption. There are several factors or use cases that we predict will drive the speed of adoption. Consolidation of administration and security enforcement of cloud services, network edge transport, and content protection features drives higher efficiency and scale for remote workers and cloud services. There are three key market segments that we expect to consolidate and serve as components of SASE: these are SWG, CASB and ZTNA. The majority of end users have already transitioned to cloud-based services or are actively doing so now. Second, instead of five components loosely from separate vendors, a single SASE offering with all five components converged into a single offering is the other activity to watch. Several vendors offer complete SASE solutions today and those solutions are maturing quickly. Because of the availability of these two factors, or use cases, buyer adoption is picking up. Mass: High Mass is high because SASE has a direct impact on the future of its five contributing market segments — SD-WAN, firewall, SWG, CASB and ZTNA — predicting that they will largely go away, eventually to be engulfed by SASE. Client interest, Google searches, and analyst opinion further validate the likelihood of SASE. Further adding to mass, SASE is also appropriate across all industries and multiple business functions. The changes required for offerings in the contributing segments to evolve to a SASE cloud edge-based solution are significant for some of these contributing markets. The density of this change is high — not only because this affects five segments, but some of these segments are quite large. Appliance-based products will need to transform into cloud native services, not merely cloud-hosted virtual machines (VMs). However, a cloud-native service alone is not sufficient — vendors will also need points of presence (POPs) or cloud edge presence as well, which may require substantial investment or partnerships. Recommended Actions: Create a migration path that gives buyers the flexibility to easily adopt SASE capabilities when ready while still being able to use and manage their existing network and security investments. Most buyers will need to work in a hybrid environment of part SASE and part traditional elements for an extended period of time. Fill out your portfolio or aggressively partner through deep integration to cover any gaps in the SASE offering. Products in the five contributing segments will increasingly become undesirable to buyers if they do not have a convergence path to SASE. Develop cloud-native components as scalable microservices that can all process packets in a single pass. In a highly competitive SASE market, agility and cost will increasingly become important, and microservices provide both of these benefits. Build a network of distributed points of presence (POPs) through colocation facilities, service provider POPs or infrastructure as a service (IaaS) to reduce latency and improve performance for network security services. The evolution to SASE also requires an evolution of product delivery vehicles. Gartner Disclaimer: GARTNER is registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.  1Gartner, “Emerging Technologies and Trends Impact Radar: Communications”, Christian Canales, Bill Ray, Kosei Takiishi, Andrew Lerner, Tim Zimmerman, Simon Richard, 13 October 2021    

The Future of the Enterprise Firewall is in The Cloud

If you’re like many of the IT leaders we encounter, you’re likely facing a refresh on your firewall appliances or will face one soon enough.... Read ›
The Future of the Enterprise Firewall is in The Cloud If you're like many of the IT leaders we encounter, you're likely facing a refresh on your firewall appliances or will face one soon enough. And while the standard practice was to exchange one firewall appliance for another, increasingly, enterprises seem to be replacing firewall appliances with firewall-as-a-service (FWaaS). Yes, that's probably not news coming from Cato. After all, we've seen more than 1,000 enterprises adopt Cato's FWaaS to secure more than 300,000 mobile users and 15,000 branch offices. And in every one of those deployments, FWaaS displaced firewall appliances. But it's not just Cato who's seeing this change. Last year, Gartner® projected that by 2025, 30% of new distributed branch office firewall deployments would switch to FWaaS, up from less than 5% in 2020.1 And just this week, for the first time, Gartner included Cato in its "Magic QuadrantTM for Network Firewalls” for the FWaaS implementation of a cloud-native SASE architecture, the Cato SASE Cloud.2" What's Changing for FWaaS What's behind this change? FWaaS, and Cato's FWaaS in particular, eliminates the cost and complexity of buying, evaluating, and upgrading firewall appliances. It also makes keeping security infrastructure up-to-date much easier. Rather than stopping everything and racing to apply new IPS signatures and software patches whenever a zero-day threat is found, Cato's FWaaS is kept updated automatically by Cato’s engineers. Most of all, FWaaS is a better fit for the macro trends shaping your enterprise. No matter where users work or resources reside, FWaaS can deliver secure access, easily. By contrast, physical appliances are poorly suited for securing cloud resources, and virtual appliances consume significant cloud resources while requiring the same upkeep as their physical equivalents. And with users working from home, investing in appliances makes little sense. Delivering secure remote access with an office firewall requires backhauling the user’s traffic, increasing latency, and degrading the remote user experience. [boxlink link="https://www.catonetworks.com/resources/migrating-your-datacenter-firewall-to-the-cloud/?utm_source=blog&utm_medium=top_cta&utm_campaign=datacenter_firewall"] Migrating your Datacenter Firewall to the Cloud | Download eBook [/boxlink] Not Just FWaaS, Cloud-Native FWaaS But to realize those benefits, it's not enough that a provider delivers FWaaS. The FWaaS must run on a global cloud-native architecture. FWaaS offerings running on physical or virtual appliances hosted in the cloud mean resource utilization is still locked into the granularity of appliances, increasing their costs to the providers — and ultimately to their customers. Appliances also force IT leaders to think through and pay for high-availability (HA) and failover scenarios. It's not just about running redundant appliances in the cloud. What happens if the PoPs hosting those appliances fails? How do connecting locations and users failover to alternative PoPs? Does the FWaaS even have sufficient PoP density to support that failover? By contrast, with a cloud-native FWaaS, the Cato SASE Cloud shares virtual infrastructure in a way that abstracts resource utilization from the underlying technology. The platform is stateless and fully distributed, assigning tunnels to optimum Cato's Single Pass Cloud Engine (SPACE). The Cato SPACE is the core element of the Cato SASE architecture and was built from the ground up to power a global, scalable, and resilient SASE cloud service. Thousands of Cato SPACEs enable the Cato SASE Cloud to deliver the complete set of networking and security capabilities to any user or application, anywhere in the world, at cloud scale, and as a service that is self-healing and self-maintaining. What are the five attributes of a "cloud-native" platform? Check out this blog post, "The Cloud-Native Network: What It Means and Why It Matters," for a detailed explanation. Key to delivering a self-healing and self-maintaining architecture without compromising performance is the geographic footprint of the FWaaS network. Without sufficient PoPs, latency grows as user traffic must first be delivered to a distant PoP and then be carried across the unpredictable Internet. By, contrast the Cato Global Private Backbone underlying Cato's FWaaS is engineered for zero packet loss, minimal latency, and maximum throughput by including WAN optimization. The backbone interconnects Cato's more than 65 PoPs worldwide. With so many PoPs, users always have a low-latency path to Cato, even if one PoP should fail. How much better is the Cato global private backbone? An independent consultant recently tested iPerf performance across Cato, MPLS, and the Internet. Across Cato, iPerf improved by more than 1,300%. Check out the results for yourself here: https://www.sd-wan-experts.com/blog/cato-networks-hits-2-5b-and-breaks-speed-barrier/ Cato SASE Cloud: FWaaS on Steroids and a Whole Lot More Of course, as a SASE platform, FWaaS is only one of the many services delivered by the Cato SASE Cloud. In addition to a global private backbone that can replace any global MPLS service at a fraction of the cost, Cato's networking capabilities includes edge SD-WAN, optimized secure remote access, and accelerated cloud datacenter integration. FWaaS is only one of Cato's many security services. Other security services include a secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAM), managed IPS-as-a-Service (IPS), and comprehensive Managed Threat Detection and Response (MDR) service to detect compromised endpoints. And, all services are seamlessly and continuously updated by Cato's dedicated networking and security experts to ensure maximum availability, optimal network performance, and the highest level of protection against emerging threats. FWaaS: A Better Way to Protect the Enterprise In our opinion, Gartner expert’s inclusion of Cato SASE Cloud in the Magic Quadrant is recognition of the unique benefits cloud-native FWaaS brings to the enterprise. FWaaS build on appliances simply cannot meet enterprise requirements, not for performance nor uptime. Cato’s cloud-native approach not only made FWaaS possible, but we proved that it can meet the needs of the vast majority of sites and users. Over time, cloud-native FWaaS will become the dominant deployment model for enterprise security. And Cato isn’t stopping there. Every quarter we expand our backbone, adding more PoPs. All of those PoPs run our complete SASE stack; they don’t just serve as network ingress points where traffic must be sent to yet another PoP for processing. We will also be adding new security services next year not by putting a marketing wrapper around acquired or third-party solutions, but by building them ourselves, directly into the rest of the Cato Cloud. As for EPP and EDR, neither are currently in scope for SASE but both are viable targets for convergence. Comparing cloud services and boxes is always challenging. Ultimately, enterprises face a trade-off between DIY or consuming the technology as a service. Moving to the cloud alters the cost of ownership, bringing the same agility and power that’s changed how we consume applications, servers, and storage to security. To better understand how Cato can improve your enterprise, contact us to run a quick proof-of-concept. You won't be disappointed.   1 Gartner, Critical Capabilities for Network Firewalls, Magic Quadrant for Network Firewalls, Rajpreet Kaur, Adam Hils, Jeremy D'Hoinne, 10 November 2020   2 Gartner, Magic Quadrant for Network Firewalls, Rajpreet Kaur, Jeremy D'Hoinne, Nat Smith, and Adam Hils, 1 November 2021   GARTNER and MAGIC QUADRANT are registered trademarks and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.    

Personalized alerts straight from production environments

Good descriptive logs are an essential part of every code that makes it to production. But once the deliverable leaves your laptop, how much do... Read ›
Personalized alerts straight from production environments Good descriptive logs are an essential part of every code that makes it to production. But once the deliverable leaves your laptop, how much do you really look at them? Sure, when catastrophe hits, they provide a lot of the required context of the problem, but if everything just works (or so you think) do you look at them? Monitoring tools do (hopefully), but even they are configured to only look for specific signs of disaster, not your everyday anomalies. And when will these be added? Yup, soon after a failure, as we all know any root cause analysis doesn’t come complete with a list of additional monitoring tasks. One of our security researchers developed a solution. Here’s what he had to say: What I’ve implemented is a touch-free and personalized notification system that takes you and your fellow developers a couple of steps closer to the production runtime. Those warning and error logs? Delivered to you in near real time, or a (daily) digest shedding light on what really goes on in that ant farm you’ve just built. Moreover, by using simple code annotations log messages can be sent to a slack channel enabling group notifications and collaborations. Your production environment starts talking to ya. The system enables developers to gain visibility into the production runtime, resulting in quicker bug resolution times, fine tuning runtime behavior and better understanding of the service behavior. Oh, and I named it Dice - Dice Is Cato’s Envoy. It was a fun project to code and is a valuable tool we use. [boxlink link="https://www.catonetworks.com/resources/eliminate-threat-intelligence-false-positives-with-sase?utm_source=blog&utm_medium=top_cta&utm_campaign=Eliminate_Threat_Intelligence"] Eliminate Threat Intelligence False Positives with SASE [/boxlink] How does it work then? The first step is building a list of log messages extracted from the source code and a matching list of interested parties. These can be explicitly stated on a comment following the log line in the code, or automatically deduced by looking in the source control history for the last author of the line (i.e. git blame). Yes, I can hear you shouting that the last one on the blame list isn’t necessarily the right developer and you’d be right. However, in practice this isn’t a major problem, and can be addressed by explicit code annotations. Equipped with this list of messages and authors the system now scans the logs, looking for messages. We decided to focus on Warning and Error messages as they are usually used to signal anomalies or plain faults. However, when an explicit annotation is present in the code we process the message regardless of its log level. Code examples Code line Alerting effect INFO_LOG("hello cruel world"); // #hello-worlders Channel to which messages should be sent WARN_LOG("the sky is crying"); // @elmore@mssp.delta Explicit mentioning of the developer (Elmore) ERROR_LOG("it hurts me too"); No annotation here, so blame information will be used (e.g. pig@pen.mssn) Alerting Real time messages Channel messages (as in the example above) are delivered as soon as they are detected, which we used to communicate issues in real time to developers and support engineers. This proved to be very valuable as it enabled us to do a system inspection during runtime, while the investigated issue was still occurring, dramatically lowering the time to resolution. For example, we used channel messages to debug a particularly nasty IPsec configuration mismatch. The IPsec connection configuration is controlled by our client, and hence we could not debug issues in a sterile environment where we have full control over both ends of the configuration. With the immediate notifications, we were able to get the relevant information out of the running system. Digests Digests are also of great value, informing a developer of unexpected or even erroneous behavior. My code (and I guess yours also) has these “this can’t really happen” branches, where you just log the occurrence and get the hell out of the function. With Dice’s messages, I was able to know that these unimaginable acts of the Internet are actually more frequent than I imagined and should get special treatment rather than being disregarded as anomalies. Alerts are usually sent to users in the form of a daily digest, grouping all the same messages together with the number of occurrences, on which servers and the overall time frame. Slack usage Using Slack as the communication platform, enables the system to make some judgment regarding the notifications delivery - developers asked for digests to be sent only when they are online and, in any case, not during the weekend, which is easy to accommodate. Furthermore, the ability to add interactive components into the messages opens the door for future enhancements described below. Aftermath Useful as Dice is, it can be made even greater. Interactivity should be improved - many times notifications should be snoozed temporarily, till they are addressed in the code, or indefinitely as they are just redundant. The right (or some definition of right)  solution is usually to change the log level or remove the message entirely. However, the turnaround for this can be weeks, we deploy new versions every two weeks, so this is too cumbersome. A better way is to allow snoozing/disabling a particular message directly in Slack, via actions. "It wasn’t me" claim many Sing Sing inmates and blamed developers - the automatically generated blame database may point to the wrong author, and the system should allow for an easy, interactive way of directing a particular message to its actual author. It can be achieved via code annotations, but again this is too slow. Slack actions and a list of blame overrides is a better approach. Wrapping up Logs are essentially a read-only API of a system, yet they are mostly written in free form with no structural or longevity guarantees. At any point a developer can change the text and add or remove variable outputs from the messages. It is therefore hard to build robust systems that rely on message analysis. Dice, elegantly if I may say, avoids this induced complexity by shifting the attention to personalized and prompt delivery of messages directly to relevant parties, rather than feeding them into a database of some sort and relying on the monitoring team to notify developers of issues.

SSE: It’s SASE without the “A”

As IT leaders look to address the needs of the digital enterprise, significant changes are being pushed onto legacy networking and security teams. When those... Read ›
SSE: It’s SASE without the “A” As IT leaders look to address the needs of the digital enterprise, significant changes are being pushed onto legacy networking and security teams. When those teams are in lockstep and ready to change, SASE adoption is the logical evolution. But what happens when security teams want to modernize their tools and services but networking teams remain committed to legacy SD-WAN or carrier technologies? For security teams, Gartner has defined a new category, the Security Service Edge (SSE). What is SSE? The SSE category was first introduced by Gartner in the “2021 Roadmap for SASE Convergence” report in March of 2021 (where it was named “Security Services Edge” with service in the plural) and later developed in several Hype Cycle reports issued in the summer. SSE is the half of secure access service edge (SASE) focusing on the convergence of security services; networking convergence forms the other half of SASE. The Components of SSE Like SASE, SSE offerings converge cloud-centric security capabilities to facilitate secure access to the web, cloud services, and private applications. SSE capabilities include access control, threat protection, data security, and security monitoring. To put that another way, SSE blends - Zero Trust Network Access (ZTNA) - Secure web gateway (SWG) - Cloud access security broker (CASB) - Firewall-as-a-service (FWaaS) and more into a single-vendor, cloud-centric, converged service. [boxlink link="https://www.catonetworks.com/resources/sase-vs-sd-wan-whats-beyond-security?utm_source=blog&utm_medium=top_cta&utm_campaign=sase_vs_sdwan"] SASE vs SD-WAN What’s Beyond Security | Download eBook [/boxlink] Why Is SSE Important? The argument of SSE is much of the same as for SASE. Legacy network security architectures were designed with the datacenter as the focal point for access needs. The cloud and shift to work-from-anywhere have inverted access requirements, putting more users, devices, and resources outside the enterprise network. Connecting and protecting those remote users and cloud resources require a wide range of security and networking capabilities. SSE offerings consolidate the security capabilities, allowing enterprises to enforce security policy with one cloud service. Like SASE, SSE will enable enterprises to reduce complexity, costs, and the number of vendors. SSE Need To Be Cloud Services Not Just Hosted Appliances The SSE vision brings core enterprise security technologies into a single cloud service; today’s reality will likely be very different. As we’ve seen with SASE, SSE is still in its early days, with few, if any, delivering a single, global cloud service seamlessly converging together ZTNA, SWG, RBI, CASB, and FWaaS. And as with SASE it’s important to determine which SSE vendors are cloud-native and which are simply hosting virtual machines in the cloud. Running virtual appliances in the cloud is far different from an “as-a-service.” With cloud-hosted virtual appliances, enterprises need to think through and pay for redundancy and failover scenarios. That’s not the case with a cloud service. Costs also grow with hosted appliances in part because companies must pay for the underlying cloud resource. With a cloud service, no such costs get passed onto the user. How Are SSE and SASE Similar? Beyond an “A” in their names, what separates SSE from SASE? As we noted, SSE technologies form the security component of SASE, which means the security arguments for SSE are much the same as for SASE. With users and enterprise resources existing, well, everywhere, legacy datacenter-centric security architectures are inadequate. At the same time, the many security tools needed to protect the enterprise add complexity, cost, and complicate root-cause analysis. SSE and SASE address these issues. Both are expected to converge security technologies into a single cloud service, simplifying security and reducing cost and complexity. With the primary enterprise security technologies together, security policies around resources access, data inspection, and malware inspection can be consistent for all types of access and users and at better performance than doing this separately. Both SSE and SASE should also allow enterprises to add flexible, cloud-based network security to protect users out of the office. And both are identity-driven, relying on a zero-trust model to restrict user access to permitted resources. The most significant difference between SSE and SASE comes down to the infrastructure. With Gartner SSE, enterprises unable or unwilling to evolve their networking infrastructure have a product category describing a converged cloud security service. By contrast, SASE brings the same security benefits while converging security with networking. SASE: Networking and SASE Better Together But bringing networking and security together is more than a nice-to-have. It’s critical for a platform to secure office, remote users, and cloud resources without comprising the user experience. Too often, FWaaS offerings have been hampered by poor performance. One reason for this is the limited number of PoPs running the FWaaS software, but the other issue was the underlying network. Their reliance on the global Internet, not a private backbone, to connect PoPs leaves site-to-site communications susceptible to the unpredictability and high latency of the global Internet. SSE solutions will face the same challenge If they’re to enforce site-to-site security. Converging networking and security together also brings other operational benefits. Deployment times become much shorter as there’s only one solution to set up. Root cause analysis becomes easier as IT teams can use a single, queryable timeline to interrogate and analyze all networking and security events. Cato is SASE Cato pioneered the convergence of networking and security into the cloud, delivering the Cato SASE Cloud two years before Gartner defined SASE. Today, over 1,000 enterprises rely on Cato to connect their 300,000 remote users and 15,000 branches and cloud instances. Cato SASE Cloud connects all enterprise network resources, including branch locations, the mobile workforce, and physical and cloud datacenters, into a global and secure, cloud-native network service. Cato SASE Cloud runs on a private global backbone of 65+ PoPs connected via multiple SLA-backed network providers. The backbone’s cloud-native software provides global routing optimization, self-healing capabilities, WAN optimization for maximum end-to-end throughput, and full encryption. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of security services to protect all traffic at all times. Current security services include FWaaS, SWG, standard and next-generation anti-malware (NGAV), managed IPS-as-a-Service (IPS), and Managed Threat Detection and Response (MDR). Deploy Cato SASE for Security, Networking, or Both – Today Cato can be gradually deployed to replace or augment legacy network services and security point solutions: Transform Security Only: Companies can continue with their MPLS services, connecting the Cato Socket, Cato’s edge SD-WAN device, both to the MPLS network and the Internet. All Internet traffic is sent to the Cato Cloud for inspection and policy enforcement. Transform Networking Only: Companies replace their MPLS with the Cato SASE Cloud, a private global backbone of 65+ PoPs connected via multiple SLA-backed network providers. The PoPs software continuously monitors the providers for latency, packet loss, and jitter to determine, in real-time, the best route for every packet. Security enforcement can be done in the Cato SASE Cloud or existing edge firewall appliances. And, of course, when ready, enterprises can migrate networking and security to the Cato SASE Cloud, enjoying the full benefits of network transformation. To learn more about Cato can help your organization on its SASE journey, contact us here.

Horizon for SASE Adoption Shortens, Fewer Sample Vendors Identified in SASE Category of Gartner Hype Cycle for Networking, 2021

Every year, Gartner issues its annual take on the networking industry, and this year is no different. The just-released Hype Cycle for Enterprise Networking, 2021... Read ›
Horizon for SASE Adoption Shortens, Fewer Sample Vendors Identified in SASE Category of Gartner Hype Cycle for Networking, 2021 Every year, Gartner issues its annual take on the networking industry, and this year is no different. The just-released Hype Cycle for Enterprise Networking, 2021 and Hype Cycle for Network Security, 2021 provide snapshots of which networking and security technologies are on the rise — and which aren’t. And when it comes to secure access service edge (SASE), the two reports provide an optimistic picture. The SASE market continues to mature, as evidenced by the horizon for widespread adoption. The horizon reduced significantly this year, dropping from 5-10 years in last year’s “Hype Cycle for Enterprise Networking 2020” to just 2-5 years in this year’s report. At Cato Networks, we’ve certainly seen that change. Today, more than 900 customers, 11,000 sites and cloud instances, and well over a quarter of a million remote users rely on Cato every day. And we’ve seen large deployments, like Sixt Rent A Car, rely on the global Cato SASE platform to connect its more than 1,000 sites. “Over the past year, we’ve seen larger enterprises adopt SASE,” says Yishay Yovel, CMO at Cato Network. “Converging networking and security into the global Cato SASE Cloud enables these enterprises to become more efficient and agile in addressing critical business initiatives for cloud migration, widespread remote access, and business restructuring and transformation.” [boxlink link="https://go.catonetworks.com/2021-Gartners-Hype-Cycle-for-Enterprise-Networking.html?utm_source=blog&utm_medium=upper_cta&utm_campaign=hypecycle_report"] Gartner® Hype Cycle™ for Enterprise Networking 2021 - Get the Report [/boxlink] Cato Identified as a Sample Vendor for SASE The reports also identify Cato as a Sample Vendor for the SASE category for the third year in a row. In addition, the number of sample vendors identified in the SASE category narrowed from 10 vendors to 6 vendors with the emergence of challenges delivering a cloud-native global SASE service. In addition, Cato is only one of two vendors to be identified as a Sample Vendor in the SASE, ZTNA, and FWaaS categories, arguably the three most important sections for a SASE vendor. Zscaler is the second vendor, but, in our opinion, Zscaler is an SWG and lacks the NGFW enforcement and inspection of branch-to-datacenter traffic critical to enterprise deployments. “We believe our recognition as a Sample Vendor across SASE, ZTNA, and FWaaS categories attest to Cato’s proven capabilities in delivering a complete networking and security platform for the enterprise,” says Shlomo Kramer, CEO and co-founder of Cato Networks. “Through our Cato SPACE architecture, we provide the only global, cloud-native SASE solution that can be deployed, simply and easily, by organizations of all sizes to enable optimal and secure access to anyone, anywhere, and to any application.” To learn more about the Hype Cycle for Networking, download your copy today.   Gartner Disclaimer  Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.    

Gartner’s Nat Smith Explains What Is and Is Not SASE

A good portion of my day is spent speaking with the news media about Cato and the SASE market. There’s a routine to these conversations. Many will groan over an acronym that’s pronounced “sassy.” They’ll listen but often dismiss the area as “just more Gartner hype.”  For many, SASE seems like... Read ›
Gartner’s Nat Smith Explains What Is and Is Not SASE A good portion of my day is spent speaking with the news media about Cato and the SASE market. There’s a routine to these conversations. Many will groan over an acronym that’s pronounced “sassy.” They’ll listen but often dismiss the area as “just more Gartner hype.”  For many, SASE seems like another marketing exercise like Big Data or Cloud Computing. And I get that. For 20+ years, I too was an IT journalist. As a feature journalist, I was lucky. I could specialize and dive deep into the nuances of technologies. News journalists aren’t so fortunate. They must move between many technology areas, making it incredibly difficult to uncover the differences between slideware and reality. So, I understand skepticism around SASE, particularly when every little networking and security vendor claims to be a SASE company. And if every security device, virtual appliance, or managed service is SASE, what have we accomplished? Nothing. Which is why a recent session by Nat Smith, Senior Director in the Technology and Service Provider (TSP) division of Gartner, was so interesting. Smith pierced the confusion around the SASE market, explaining what is and what is not SASE in a very plain spoken kind of way. [boxlink link="https://catonetworks.easywebinar.live/registration-77?utm_source=blog&utm_medium=top_link&utm_campaign=gartner_webinar"] Join Our Webinar –Strategic Roadmap for SASE [/boxlink] SASE connects people and devices to services Smith’s explanation was very straight forward: SASE is taking the networking service and those kinds of capabilities and also the security service and those capabilities and putting them into a single offering. Some people will simplify it a little bit and say SASE is connecting people and devices to services. His simple definition alludes to two innovations. The first is convergence, the bringing of all networking and security functionality together. For too long, enterprises have had to grapple with the complexity of managing and integrating network security appliances. The assortment of appliances dotting enterprise networks extracted a significant operational burden on IT teams. They had to patch and maintain appliances. As encrypted traffic levels grew and CPU demands soared, branch appliances had to be upgraded. Gaps were created for attackers to exploit, required significant investment to integrate solutions. Visibility grew limited as critical data was locked behind silos requiring additional management tools to overcome those issues. Convergence solves these issues, pulling networking and network security functions into one seamless solution. Packets come into the SASE platform, get decrypted, and functions applied in a single pass before sending the packet onto its destination. Performing operations in parallel rather than moving them through a service chain of devices reduces latency and allows the SASE platform to scale more efficiently. While Gartner documents point to a wide range of functions converged by SASE, Smith broke them down into five main areas: SD-WAN, FWaaS, SWG, CASB, and ZTNA. In truth, security and networking convergence preceded SASE. UTMs are probably the best example, and even some SD-WAN appliances have added security capabilities (Figure 1).  Which brings us to the next innovation —cloud-native services. [caption id="attachment_17138" align="alignnone" width="1546"] Figure 1: Network security appliances are “thick,” performing all functions themselves.[/caption] SASE: It’s not an appliance  SASE is a true cloud service. It’s not a single-tenant appliance stuck in the Cloud. It’s a multitenant platform designed as a cloud service. I think of it as the difference between O365 and Word. Microsoft, and all cloud providers, push out new features and new capabilities all the time. There’s no need to download, test, and deploy a new version worrying all the while the repercussions for my laptop. And while desktop software only works for that computer, the Cloud is available to me wherever I go, from whatever device I’m using. I don’t have to worry about running out of storage or patching software. The provider handles all of that. SASE brings those same cloud benefits to networking and security. SASE breaks functionality into two, keeping the bare minimum at the edge while moving core functioning into the Cloud (Figure 2). There are no patches or updates to test and deploy; they just “appear” in the service. Storage and scaling are things the provider has to worry about, not IT. [caption id="attachment_17147" align="alignnone" width="1567"] Figure 2: SASE creates a “light” appliance at the edge, providing just enough processing to move traffic into the Cloud where compute-intensive security and networking services can benefit from the scalability and elasticity of the Cloud.[/caption] Shifting processing to the Cloud leverages the Cloud’s scalability and elasticity. Compute-intensive services, like content inspection, normally force branch appliance upgrades to accommodate traffic growth. But within the Cloud, they can run at line-rate regardless of traffic volumes. And by being in the Cloud, SASE services can be made available to users anywhere without a perceptible difference.   SASE: It’s not just in the Cloud; it is the Cloud  And this point, SASE services being made available to the user efficiently; that’s critical. Smith pointed to the below example where security processing happens in Shanghai PoP that services three locations — Shanghai, Singapore, and San Francisco (Figure 3). He posed the question, “Is this SASE or not?” [caption id="attachment_17152" align="alignnone" width="1577"] Figure 3: SASE is not a single PoP converging networking and security services, as users located far away (in San Francisco, in this case) will not experience local performance.[/caption] Shanghai users will experience pretty good response time. Singapore less so, but San Francisco? With a thousand kilometers to the Shanghai PoP, San Francisco users will experience significant latency as traffic is brought back to Shanghai for inspection. Users probably won’t call it that. They’ll likely talk about “the network being slow” or applications taking forever to load.” But the culprit will remain the same: the latency needed to get back to PoP for processing. A single PoP does not make SASE. SASE is meant to give local performance to all users regardless of location. As such, Smith points out that SASE must be distributed, delivering a cloud edge service that brings security processing near the source. A global network of PoPs is needed, where PoPs are close to the company locations and mobile users using that service (see Figure 4). [caption id="attachment_17155" align="alignnone" width="1571"] Figure 4: With SASE, security processing is distributed across a global fabric of PoPs. Users experience local performance regardless of location.[/caption] Convergence and Cloud-Native Define SASE  SASE is the convergence of networking and security, but it’s also about moving from the edge to the Cloud. Smith sees both of those elements — convergence and cloud-native — as essential for realizing SASE’s promise. Failure to deliver on both of those elements isn’t SASE. It’s just hype.      

Update to Cato MDR Shortens Time-to-Value, Automates 70 Security Checks

Nobody likes to wait for results, and that’s certainly the case when it comes to managed detection and response (MDR) services. MDR services are meant... Read ›
Update to Cato MDR Shortens Time-to-Value, Automates 70 Security Checks Nobody likes to wait for results, and that's certainly the case when it comes to managed detection and response (MDR) services. MDR services are meant to eliminate threats faster by outsourcing threat hunting to third-party specialists. But to accomplish their goal, MDR services require up to 90 days to baseline typical network operation. Which is odd if you think about it. Malware dwell time already exceeds 200 days. Why invest in an MDR service if it'll be another three months before your organization realizes any results? Cato has a better way. The new release of Cato MDR announced this week eliminates the startup window by tapping cross-organizational baselines developed using the Cato system. Let's take a closer look. What's Behind the Cato MDR Service  As part of the broader Cato service, Cato MDR has deep visibility into enterprise traffic patterns. We've developed a simply massive data warehouse storing the metadata for every IP address, session, and flow crossing the Cato global backbone. We do that over time, so we can see the historical and current traffic patterns across thousands of enterprises and hundreds of thousands of remote users worldwide. [boxlink link="https://www.catonetworks.com/resources/5-things-sase-covers-that-sd-wan-doesnt?utm_source=blog&utm_medium=upper_cta&utm_campaign=5_things_ebook"] Download eBook – 5 things SASE covers that SD-WAN doesn't [/boxlink] This incredible data repository gives us the basis for our Cato Threat Hunting System (CTHS), a set of multidimensional machine learning algorithms and procedures developed by Cato Research Labs that continuously analyze customer traffic for the network attributes indicative of threats. More specifically,  CTHS has the following capabilities: Full Visibility, No Sensors: Cato sees all WAN and Internet traffic normally segmented by network firewalls and Network Address Translation (NAT). CTHS has full access to real-time network traffic for every IP, session, and flow initiated from any endpoint to any WAN or Internet resource. Optional SSL decryption further expands available data for threat mining. CTHS uses its deep visibility to determine the client application communicating on the network and identify unknown clients. The raw data needed for this analysis is often unavailable to security analytics platforms, such as SIEMs, and is impossible to correlate for real-time systems, such as legacy IPS. Deep Threat Mining: Data aggregation and machine learning algorithms mine the full network context over time and across multiple enterprise networks. Threat mining identifies suspicious applications and domains using a unique "popularity" indicator modeled on access patterns observed throughout the customer base. Combining client and target contexts yields a minimal number of suspicious events for investigation. Human Threat Verification: Cato's world-class Security Operations Center (SOC) validates the events generated by CTHS to ensure customers receive accurate notifications of live threats and affected devices. CTHS output is also used to harden Cato's prevention layers to detect and stop malicious activities on the network. Rapid Threat Containment: For any endpoint, specific enterprise network, or the entire Cato customers base, the SOC can deploy policies to contain any exposed endpoint, both fixed and mobile, in a matter of minutes. CTHS creates a deep, threat-hunting foundation that powers all Cato security services without requiring customers to deploy data collection infrastructure or analyze mountains of raw data. At the same time, CTHS adheres to privacy regulatory frameworks such as GDPR. With CTHS and Cato Cloud, enterprises of all sizes continue their journey to streamline and simplify network and security. Cato MDR 2.0 Gains Automated 70-Point Checklist Beyond faster time-to-value, Cato has also introduced automatic security assessment to the MDR service. Instantly, customers learn how their network security compares against the checks and best practices implemented by enterprises worldwide. Items inspected include proper network segmentation, firewall rules, and security controls, like IPS and anti-malware. The 70-point checklist is derived from the practices of the "best" enterprises across Cato — and avoids the biggest mistakes of the worst enterprises. "Much of what we're highlighting in our 70-point checklist is probably common sense to any security-minded professional. But all too often, those practices have not been found in one actionable resource," says Elad Menahem, director of security at Cato Networks. And to further enhance the support given to Cato MDR customers, we've designated security engineers for each customer. The DSEC becomes the customer's single point of contact and security advisor. The DSEC can also tweak threat hunting queries to enhance detection specific to the customer environment, such as gathering specific network information to protect specific valuable assets. The DSEC is part of the large SOC team, sitting between the Security Analysts and the Security Research. Coupled with CTHS and Cato's unique data warehouse, Cato MDR brings the best of human intelligence and machine intelligence for the highest degree of protection. Overall, Cato underscores yet another aspect of the value of a global, cloud-native SASE platform. To learn more about Cato MDR, visit https://www.catonetworks.com/services#managed-threat-detection-and-response. [caption id="attachment_16724" align="alignleft" width="654"] The Cato automatic assessment identifies misconfiguration against 70 security best practices, returning a security posture score and a detailed report for easy action.[/caption]    

5G: A Step Beyond the Last Mile?

During the third and fourth quarters of 2019, Amazon spent a total of $3B on its one-day delivery program. At issue for the retail giant... Read ›
5G: A Step Beyond the Last Mile? During the third and fourth quarters of 2019, Amazon spent a total of $3B on its one-day delivery program. At issue for the retail giant was solving the last mile, a challenge that has vexed organizations for decades. The telecom industry, which coined the last mile phrase decades ago, claims to be on the verge of solving the last mile for its customers, with the promise of 5G. Having spent years waiting for fiber rollouts to make it to their office building, news of multigigabit connectivity without wiring is welcome indeed. As exciting as this news is for CIOs, though, the question they should be asking is whether their legacy enterprise networks can take advantage of 5G’s goodness. And the answer to that question is far from certain. Powerful Benefits for Enterprises  A fully operational 5G is a gamechanger for enterprises. The delays and limited data transfer capacity that plague today’s connectivity will quickly become a thing of the past. Businesses will be inoculated against outages, and experience full, continuous high-speed availability. If promises can be believed, enterprises will no longer have to wait months for fiber installations or be limited due to line availability. Rural offices, construction sites, and even offshore oil rigs won’t be limited by a carrier’s unwillingness to invest in high-cost infrastructure expenses that only serve a small number of businesses and fails to deliver a high ROI. [boxlink link="https://www.catonetworks.com/resources/cato-sase-cloud-the-future-sase-today-and-tomorrow/?utm_source=blog&utm_medium=top_cta&utm_campaign=Cato_SASE_Cloud"] Download eBook: The Future SASE – Today and Tomorrow [/boxlink] In addition to easier provisioning, data rates on 5G are lightning-fast. Designed to deliver peak data rates of up to 20Gbps, it is 20 times faster than 4G. For enterprises involved with the Internet of Things (IoT), 5G will be able to provide more than 100Mbps average data transmission to over a million IoT devices within a square kilometer radius. Behaving like the Infinite Middle  The high speeds and elimination of last-mile slowdowns are what enterprises need today. 5G will address surges in capacity driven by the growing demand for video conferencing, increased data storage, and businesses operating from multiple locations. Removing last-mile bottlenecks means there is no need to step down capacity as data approaches the end user. Multi-gig connections can carry high-speed data across the globe and down to the end-user at great speed and lower latency than current solutions. This combination opens the door to greater innovation in many areas. Automation will grow in manufacturing plants through the use of IoT-enabled connected devices. Supply chains will able to share data more efficiently, enabling smoother operation. And expect to see improvements in logistics and deliveries as commercial vehicles take advantage of smart traffic efficiencies created by 5G. Improved traffic flow, decreased journey times, and car-to-car communication will improve the business’s bottom line. Virtual reality (VR) and augmented reality (AR) become possible, opening new opportunities, particularly for retailers. Personalized digital signage, real-time messaging, and promotions based on real-time consumer behavior become possible with 5G. Innovative tools like smart mirrors could advise consumers on fashion choices or recommend cuts of clothes based on their unique body size and shape. AI systems will also use the increased real-time data to get even better at analyzing situations and making recommendations. They’ll be more effective, leading to increased adoption of AI technology. 5G and the elimination of last-mile slowdowns are expected to open the door to anything enterprise IT can imagine. It sounds all too perfect — and it is. The Challenge of Eliminating Last-Mile Slowdowns There’s no doubt that 5G has the potential to transform business. However, transformation comes with security risks that enterprises can’t afford to ignore. A growing number of entry points, a greater reliance on online data streams, and visibility issues increase an enterprises’ exposure to cyberattacks. Early 5G adopters will also be exposed to security risks stemming from misconfigurations and security integrations between 5G and 4G networks. Deploying patchwork security solutions that weren’t designed for 5G networks will not only be ineffective as a security tool, but they may create more problems for IT teams by creating more exploitable network entry points. And enterprises that don’t update their network architectures may find they’re unable to fully benefit from 5G’s performance. That’s because legacy networks backhaul traffic to a central security gateway for inspection and policy enforcement. The latency of that connection, not the last-mile performance, has always been the determinant factor in long-distance connections. Defending Networks with SASE  A secure access service edge (SASE) addresses enterprise needs for a more secure, better performing 5G network. SASE distribution security inspection and policy enforcement out to points of presence (PoPs) across the globe. By connecting to the local PoP, all users — whether in the office, on the road, or at home — are protected against network-based threats. And by avoiding traffic backhaul, SASE allows enterprises to take full advantage of 5G’s faster connections without compromising security. Partners can also easily be connected to a company’s SASE network, allowing for secure, high-performance supply chains. 5G is a transformative access technology. SASE is a transformative architectural approach. Together they allow IT to transform the way enterprises operate. To learn more about 5G and how the Cato SASE platform can help your enterprise, contact us here.    

Poor VPN Scalability Hurts Productivity and Security

Due to the surge in remote work inspired by COVID-19, VPN infrastructure designed to support 10-20% of the workforce has failed to keep up. This... Read ›
Poor VPN Scalability Hurts Productivity and Security Due to the surge in remote work inspired by COVID-19, VPN infrastructure designed to support 10-20% of the workforce has failed to keep up. This has inspired companies to invest in scaling their VPN infrastructure, but this is not as easy as it sounds. VPNs are difficult to scale for a few different reasons, and this forces companies to make tradeoffs between network performance and security. With growing support for remote work, having an unscalable and unsustainable secure remote access solution is not an option.  So how can organizations scalably and securely support their remote workforces?  We’ll answer that here. Why VPNs scale poorly VPNs are designed to provide privacy, not security. They lack built-in access controls and the ability to inspect traffic for malicious content. As a result, companies commonly use VPNs to backhaul remote workers’ traffic through the corporate LAN for security inspection before sending it on to its destination. This design means that the organization’s VPN solutions, corporate network infrastructure, and perimeter-based security stack are all potential bottlenecks for a VPN-based secure remote access solution. As a result, effectively scaling VPN infrastructure requires investment in a number of areas, including: VPN Infrastructure: As VPN utilization increases, a company’s VPN terminus needs to be able to support more parallel connections. Accomplishing this often requires deploying additional VPN infrastructure to meet current demands. Last Mile Network Links: Network links on the corporate LAN must be capable of supporting the load caused by backhauling all network traffic for security inspection. For all traffic with destinations outside of the corporate LAN, traffic will traverse the network twice - both entering and leaving after security inspection - and network links must have the bandwidth to support this. Security Systems: The use of VPN infrastructure to backhaul business traffic is designed to allow it to undergo security inspection and policy enforcement. Perimeter-based security solutions must have the capacity to process all traffic at line speeds. System Redundancy: With a remote workforce, secure remote access solutions become “critical infrastructure” with high availability requirements. All systems (VPN, networking, security, etc.) must be designed with adequate redundancy and resiliency. Acquiring, deploying, and maintaining adequate infrastructure to meet companies’ remote access needs is expensive. The limited feature set and poor scalability of VPNs contribute to a number of problems that are holding businesses back. An unsustainable and insecure approach The disadvantages of VPNs for businesses contribute to a number of factors that impair the usability and security of these systems, such as: Degraded Performance: Because VPNs have no built-in security functionality, sending traffic through a standalone security stack is essential. This means that many organizations backhaul traffic through corporate LANs for inspection, which creates significant network latency. Appliance Sprawl: The poor scalability and high availability requirements of VPN infrastructure means that organizations need to deploy multiple appliances to meet the needs of a remote workforce. This is expensive and adds complexity to the process of deploying, configuring, and maintaining these appliances. Security Workarounds: The poor scalability of VPNs drives many organizations to make tradeoffs between network performance and security. A common example is backhauling traffic to the corporate network for security inspection, which incurs significant latency. Network-Level Access: VPNs provide authorized users with unlimited access to the corporate network. This enables legitimate users to misuse their access and dramatically increases the risks associated with a compromised user account. The use of enterprise VPN solutions is an unsustainable and insecure approach to implementing secure remote access. As companies plan extended or permanent support for remote work, a better solution is needed. SASE is a scalable alternative for secure remote access With the growth of remote work and cloud computing, companies need a secure remote access solution that is designed for the modern enterprise network. While VPNs cannot effectively scale to meet demand, the same is not true of secure access service edge (SASE). Many of VPNs’ issues arise from two main factors: location and security. VPNs are designed to provide a secure connection to a single terminus, and they lack built-in security so that location needs to host a standalone security stack. SASE eliminates both of these considerations. Instead of a single VPN terminus, SASE is implemented as  a worldwide network of points of presence (PoPs). With so many PoPs, business traffic can enter and leave the corporate WAN at convenient locations. SASE also incorporates a full security stack, enabling any SASE PoP to perform security inspection and policy enforcement for the traffic passing through it. This eliminates the need to deploy standalone security stacks at each terminus or backhaul to a central location for inspection, simplifying security and eliminating unnecessary latency. This security stack includes zero trust network access (ZTNA) - also known as software-defined perimeter (SDP) - for secure remote access. Unlike VPNs, ZTNA/SDP implements zero trust security principles, providing access to resources on a case-by-case basis. This minimizes the risk posed by a compromised user account or malicious user. These two features make SASE a much more scalable secure remote access solution than VPNs. The decentralized nature of the SASE network means that no one location needs to carry the full load of the remote workforce’s network traffic. The network also has built-in redundancy and the ability to easily scale or expand simply by deploying a new virtualized appliance at the desired location. Cato offers secure, scalable remote access for the distributed enterprise Modern businesses need secure remote access solutions that protect their remote workforces without compromising security.  Cato Cloud makes it easy for employees to connect securely from anywhere to anywhere. To learn more about how to deploy high-performance secure remote access, download our free Work from Anywhere for Everyone eBook. If you have questions about the benefits of SASE over VPNs or how Cato Cloud can work with your environment, feel free to contact us. Also, don’t hesitate to request a free demo to see Cato Cloud’s secure remote access capabilities for yourself.

What is a Cloud Firewall?

Cracks are forming at the base of the cloud firewall. Those virtualized instances of the security perimeter vital to protecting cloud assets against unauthorized attempts... Read ›
What is a Cloud Firewall? Cracks are forming at the base of the cloud firewall. Those virtualized instances of the security perimeter vital to protecting cloud assets against unauthorized attempts to access an organization’s cloud resources have begun showing their age. The shift to multicloud strategies and the rapid evolution of network-based threats are uncovering weaknesses in cloud firewalls. Instead, many companies are adopting Firewall-as-a-Service (FWaaS) solutions. But will FWaaS go far enough? Let’s find out. What is a Cloud Firewall Used For? Physical firewalls, aka firewall appliances, have been a fixture in the network stack populating datacenters and branch offices everywhere. But as enterprises shifted data and applications to the cloud, they needed to secure them as well. Deploying a physical firewall in the cloud was impractical at best and frequently impossible. Enter cloud firewalls. These offerings bring the protective ability of firewall appliances to the cloud. Cloud firewalls run as virtual instances within the cloud provider network. As such, cloud firewalls bring several significant advantages over firewall appliances. We’ve already discussed one; they’re easy to deploy. Cloud firewalls are also easier to scale than physical firewalls. Need more memory or compute? Just add as you would to any workload in the cloud. Cloud firewalls are also often easier to make highly available. Yes, you’ll need to configure redundant instances appropriately. But the datacenters are already equipped with redundant power sources, HVAC systems, automated backup systems, and more needed to support an HA implementation. The Limitations of Cloud Firewalls At the same time, cloud firewalls come with key limitations. With each cloud environment requiring its cloud firewall for protection, security becomes more complex in a multicloud strategy, which is increasingly common among enterprises. What’s more, where cloud firewall instances exist out-of-region, traffic must be backhauled, adding latency to application sessions. And while cloud firewalls might be easier to maintain than physical appliances, they still need plenty of care. IT teams still need to configure, deploy, and manage the cloud firewall. They still need to apply patches and deploy the latest signatures to protect against zero-day threats. Finally, resource sharing among cloud firewalls becomes challenging at scale. Cloud firewalls function as virtual appliances, requiring their memory and compute. They can’t pool them easily with other cloud firewall instances. For many IT teams, the question “What is a cloud firewall” is being replaced by “What security tool can we use instead of a cloud firewall.” Why FWaaS is Replacing Virtual Firewalls And the answer to that question is quickly becoming FWaaS. FWaaS offerings are independent cloud services that provide companies with their own firewall instances to manage and run. Unlike firewalls, FWaaS provide customers their own logical firewall instances running on the provider’s multitenant firewall platform. FWaaS platforms are genuine cloud services. They’re multitenant, elastic, and highly scalable, allowing the individual firewalls to consume compute resources more efficiently than individual cloud firewalls. FWaaS providers also assume the burden of ensuring firewall performance doesn’t suffer as traffic loads grow. And since compute resources and operating costs are spread across all customers, FWaaS platforms are often more cost-effective than cloud firewalls. In short, by using FWaaS, organizations retain the scalability, availability, and extensibility of a cloud deployment. At the same time, they enjoy the low-cost cloud option and improved line-rate network performance. Does FWaaS Go Far Enough? FWaaS might seem to answer the security problems facing enterprises, but what they miss is the global network. Most enterprises have at least some resources in private datacenters. Users require optimized access to those resources and the cloud. FWaaS offerings, though, rely on the unpredictable global Internet for transport. Performance to corporate datacenters is far too unpredictable and sluggish for enterprises used to the MPLS and private backbones. FWaaS offerings also often target HTTP-based applications. Other applications based around legacy protocols may not be supported or require purchasing additional products. Since FWaaS offerings can’t cover the complete enterprise, they must be integrated with existing networking and security tools. This creates greater operational complexity for IT and leads to fragmented network visibility, complicating the detection of the network traffic patterns indicating malware infections. In short, FWaaS steps in the right direction but without the underlying network remains a partial solution. For most enterprises, FWaaS doesn’t go far enough. Moving from Cloud Firewall to SASE Secure Access Service Edge (SASE) expands on FWaaS, converging security with a global, optimized network. The Cato SASE platform, for example, includes the Cato Global Private Backbone, a global, geographically distributed, SLA-backed network of 60+ PoPs interconnected by multiple tier-1 carriers. Within those PoPs, a complete suite of security services — NGFW, IPS, URLF, anti-malware, and more — operate on all traffic. The traffic is then sent onto the Internet or across the Cato global private backbone to other edges — branch offices, datatcenters, remote users, and cloud resources — connected to Cato PoPs. The Cato network includes built-in WAN optimization, route optimization, dynamic carrier selection, and cloud optimization to deliver far better performance than the global Internet or legacy infrastructure. During customer testing, for example, file transfer performance improved by 20x with Cato when compared against MPLS. Other customers have seen similar, if not better results, when comparing Cato against the global Internet. The convergence of security and networking also provides Cato with unprecedented visibility into enterprise traffic flows. Using this unique insight, a team of dedicated networking and security experts seamlessly and continuously update Cato defenses. They offload the burden from enterprises of ensuring maximum service availability, optimal network performance, and the highest level of protection against emerging threats. It’s Time to Upgrade your Cloud Firewall with SASE Cato is the world’s first SASE platform. It enables customers to easily connect physical locations, cloud resources, and mobile users to Cato and provides IT teams with a single, self-service console to manage security services. Learn more on our blogs, contact our team of security experts, or schedule a demo to see how SASE can protect your network environment.        

Remote Access Security: The Dangers of VPN

Millions of people worldwide are still working remotely to support shelter-in-place requirements brought on by the pandemic. For many workers, a remote workstyle is a preference that will likely become... Read ›
Remote Access Security: The Dangers of VPN Millions of people worldwide are still working remotely to support shelter-in-place requirements brought on by the pandemic. For many workers, a remote workstyle is a preference that will likely become a more permanent arrangement. Enterprises have responded by expanding their use of VPNs to provide remote access to the masses, but is this the right choice for long-term access?  Aside from enabling easy connectivity, enterprises also must consider the security of VPNs and whether their extensive use poses risks to the organization. (Spoiler alert: they do.) Long-term use alternatives must be considered due to VPNs’ failures where remote access security is concerned. One prominent alternative is Secure Access Service Edge (SASE) platforms with embedded Zero Trust Network Access (ZTNA) that alleviate the security dangers and other disadvantages of VPN.  VPNs Put Remote Access Security at High Risk In general, VPNs provide minimal security with traffic encryption and simple user authentication. Without inherent strong security measures, they present numerous risk areas:  VPN users have excessive permissions – VPNs do not provide granular user access to specific resources. When working remotely via VPN, users access the network via a common pool of VPN-assigned IP addresses. This leads to users being able to “see” unauthorized resources on the network, putting them only a password away from being able to access them.  Simple authentication isn’t enough– VPNs do provide simple user authentication, but stronger authentication of users and their devices is essential. Without extra authentication safeguards – for example, multi-factor authentication, or verification against an enterprise directory system or a RADIUS authentication server – an attacker can use stolen credentials and gain broad access to the network.  Insecure endpoints can spread malware to the network – There is no scrutiny of the security posture of the connecting device, which could allow malware to enter the network.  The full security stack doesn’t reach users’ homes– Enterprises have built a full stack of security solutions in their central and branch offices. This security doesn’t extend into workers’ homes. Thus, to maintain proper security, traffic must be routed through a security stack at the VPN’s terminus on the network. In addition to inefficient routing and increased network latency, this can result in having to purchase, deploy, monitor, and maintain security stacks at multiple sites to decentralize the security load.  VPN appliances are a single point of failure – For enterprises that support a large remote workforce connecting via VPN, there is high risk of business interruption if a VPN fails or is incapacitated, such as through a DoS attack. No appliance means no access for anyone who would connect to it.  Some VPNs have known vulnerabilities – Enterprises are responsible for monitoring for vulnerabilities and updating and patching devices as needed. Serious flaws that go unpatched can put organizations at risk. For example, in March 2020, it was reported that Iranian hackers were leveraging VPN vulnerabilities to install backdoors in corporate and government networks. The attack campaign targeted several high-profile brands of VPNs.   VPNs add to overall network complexity – Adding one or more VPNs to the data center to manage and configure adds to the overall complexity of network management, which could ultimately lead to greater security vulnerabilities.   Network managers have limited visibility into VPN connections – The IT department has no visibility into what is happening over these appliances. The user experience suffers when problems occur, and no one knows the root cause.  Split tunneling provides opportunity for attack – To alleviate VPN capacity constraints, organizations sometimes utilize split tunneling. This is a network architecture configuration where traffic is directed from a VPN client to the corporate network and also through a gateway to link with the Internet. The Internet and corporate network can be accessed at the same time. This provides an opportunity for attackers on the shared public network to compromise the remote computer and use it to gain network access to the internal network.  VPNs Have Other Drawbacks In addition to the security issues, VPNs have other drawbacks that make them unsuitable for long-term remote access connectivity. For example, an appliance has capacity to support a limited number of simultaneous users. Ordinarily this isn’t a problem when companies have 10% or less of their employees working remotely, but when a much higher percentage of workers need simultaneous and continuous access, VPN capacity can be quickly exceeded. This requires the deployment of more and/or larger appliances, driving costs and management requirements up considerably. Companies use workarounds like split tunneling to address lack of scalability, which can degrade traffic visibility and security.  A Better Long-term Solution for Secure Remote Access VPNs are no longer the only (or best) choice for enterprise remote access. Gartner’s Market Guide for Zero Trust Network Access (ZTNA) projected that by 2023, 60% of enterprises will phase out VPN and use ZTNA instead. The main driver of ZTNA adoption is the changing shape of enterprise network perimeters. Cloud workloads, work from home, mobile, and on-premises network assets must be accounted for, and point solutions, such as VPN appliances, aren’t the right tool for the job.  The main advantage of ZTNA is its granular control over who gains and maintains network access, to which specific resources, and from which end user devices. Access is granted on a least-privilege basis according to security policies.   But Zero Trust is only one part of a remote access solution. There are performance and ongoing security issues that aren't addressed by ZTNA standalone offerings.  For example, all traffic still needs to undergo security inspection before proceeding to its destination. This is where having ZTNA fully integrated into a Secure Access Service Edge (SASE) solution is most beneficial.   SASE converges ZTNA, NextGen firewall (NGFW), and other security services along with network services such as SD-WAN, WAN optimization, and bandwidth aggregation into a cloud-native platform. Enterprises that leverage a SASE networking architecture receive the benefits of ZTNA, plus a full suite of converged network and security solutions that is both simple to manage and highly scalable. The Cato SASE solution provides all this in a cloud-native platform. Cato’s SASE solution enables remote users, through a client or clientless browser access, to access all business applications, via secure and optimized connection. The Cato Cloud, a global cloud-native service, can scale to accommodate any number of users without deploying a dedicated VPN infrastructure. Remote workers connect to the nearest Cato PoP – there are more than 60 PoPs worldwide – and their traffic is optimally routed across the Cato global private backbone to on-premises or cloud applications. Cato’s security services protect remote users against threats and enforces application access control.  In short, the Cato SASE platform makes it quick and easy to give optimized and highly secure access to any and all remote workers. For more information on how to support your remote workforce, get the free Cato eBook Work From Anywhere for Everyone. 

What is a UTM Firewall and What Is Beyond It?

In theory, Universal Threat Management (UTM) platforms should have long ago promoted efficiency: collapsing many security features into a single appliance. In reality, though, UTMs often became headaches in the... Read ›
What is a UTM Firewall and What Is Beyond It? In theory, Universal Threat Management (UTM) platforms should have long ago promoted efficiency: collapsing many security features into a single appliance. In reality, though, UTMs often became headaches in the making, putting IT on a vicious and costly lifecycle of appliance upgrades.  How can you take the UTM’s benefits and avoid the scalability problem? Let’s take a look to find out what’s beyond the UTM and the future of network security.  Firewalls Evolve Over the Years Before the UTM, there was the basic firewall. It was a physical appliance installed at a location such as a datacenter or a branch office. All traffic passed through the firewall for basic inspection of security policies based on network information such as the type of protocol or the source/destination addresses.   Traditionally, port 80 of the firewall bore extra scrutiny because this is where web traffic came in. But as applications and networking evolved, firewalls needed to look beyond port 80 to make a determination whether or not a packet flow was malicious.   As the industry started to adopt applications and services that shared common TCP ports, simply looking at the source or destination address and the TCP information wasn’t sufficient to detect malicious traffic. This led to the development of next generation firewalls (NGFWs) that look into the application layer to determine whether or not a flow is malicious.  UTMs Converge Security into One Appliance While firewalls are essential, companies need more than just a firewall in their security quiver. They also want malware inspection, intrusion detection and prevention, content filtering, and other security measures. These functions could all be separate appliances, or they could all be brought together into a single converged appliance. This new all-in-one security device is what became known as the UTM. The concept of UTM is good—the execution, not so much. As enterprises enable more security functions and as traffic levels grow, the appliances require more processing power. Ultimately, this forces an appliance upgrade with all of the additional costs and complexity involved. Failing to do that leads to a trade-off between implementing the necessary security functions and reducing processing load to improve performance.   What’s more, placing NGFWs and UTMs in the headquarters or branch doesn’t reflect the needs of today’s business. Users operate anywhere and everywhere but they still must send all of their traffic back to these appliances for inspection, which is inefficient. The same can be said on the application side. With more users accessing resources in the cloud, first sending traffic back to a private datacenter for security inspection by the NGFW makes little sense and can damage the usability of SaaS applications.  The Future of Enterprise Security is in the Cloud There is a new and revolutionary way of delivering NGFW and other network security capabilities as a cloud service. Firewall-as-a-Service (FWaaS) truly eliminates the appliance form factor, making a full stack of network security (URL Filtering, IPS, AM, NG-AM, Analytics, MDR) available everywhere. A single, logical global firewall with a unified application-aware security policy connects the entire enterprise — all sites, remote users, and cloud resources. Gartner has highlighted FWaaS as an emerging infrastructure protection technology with a high impact benefit rating.  FWAS is an integral component of a Secure Access Service Edge (SASE) networking platform. SASE converges the functions of network and security point solutions into a unified, global cloud-native service.  Cato Has a Full Security Stack in Every PoP Cato’s cloud-native SASE architecture converges SD-WAN, a global private backbone, a full network security stack, and seamless support for cloud resources and mobile devices. Customers easily connect physical locations, cloud resources, and mobile and remote users to Cato Cloud.   Cato uses a full enterprise-grade network security stack natively built into the Cato SASE Cloud to inspect all WAN and Internet traffic. Security layers include an application-aware FWaaS, secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAV), and a managed IPS-as-a-Service (IPS). Cato can further secure your network with a comprehensive Managed Threat Detection and Response (MDR) service to detect compromised endpoints. Zero Trust Network Access (ZTNA) is an integral part of the platform, tying security access policy back to user identity in and out of the office.   All security layers scale to decrypt and inspect all customer traffic without the need for sizing, patching, or upgrading of appliances and other point solutions. Security policies and events are managed centrally using the self-service Cato Management Application.  The Cato SASE platform spans more than 60 global Points of Presence (PoPs) located in nearly every region of the world. Each PoP has a full security stack, ensuring that security is conveniently applied to all traffic at the PoP before going to its final destination.    The future of security is in the cloud, and it goes well beyond UTM. Cato’s SASE platform delivers that future now.  Related content: Read our guide What Is a Network Firewall?  

New Forrester Report: Merging Network and Security in the Age of Covid

If you’re looking for more incisive perspective on the trend towards merging WAN and security in the cloud, check out Forrester’s January 21 report, Introducing... Read ›
New Forrester Report: Merging Network and Security in the Age of Covid If you’re looking for more incisive perspective on the trend towards merging WAN and security in the cloud, check out Forrester’s January 21 report, Introducing the Zero Trust Model for Security and Network Services by analysts David Holmes and Andre Kindness. Even if you’ve already digested Gartner’s SASE reports (and our numerous blogs), this one is worth a read. Forrester analysts tackle the impact of the post Covid-19 enterprise where some 50 percent of employees are expected to work from home. The report also includes some keen insights on a new network and security model for the Internet of Things (IoT), in addition to mobile and cloud computing. Forrester has coined its own acronym for the future of the enterprise, the Zero Trust Edge (ZTE). The opener doesn’t pull any punches, stating that enterprise need to “Merge Security and Networking or Sunset Your Business.” The report goes on to outline the challenges on the way to ZTE. According to Forrester, the Zero Trust Edge model aspires to be a cloud- or edge-hosted full security stack and network solution. Says Forrester, “A Zero Trust edge solution securely connects and transports traffic, using Zero Trust access principles, in and out of remote sites leveraging mostly cloud-based security and networking services.” ZTE solutions must merge all those disparate security appliances and functions formerly in data centers and branch offices into the cloud where configurations can be altered, added, and deleted based on a single configuration management solution and benefit from cloud-based monitoring and analysis. A single security and network solution reduces both configuration errors and operating inefficiencies compared to multiple on-premises security appliances. Cato is mentioned prominently as the only example in the report of a cloud-delivered ZTE service. The report notes that the Cato approach “offers all the value that organizations can get from software-as-a-service solutions,” and will “fit the needs of many organizations.” It helps that Cato not only brings its unique network and security solution to branch offices, cloud services, IoT, and datacenters but to mobile and home users as well, as Forrester predicts that securing remote workers is the most compelling initial use case for ZTE. Download a free copy of the new Forrester report here.  

Cato Offers a Free Certification Program to Help Customers and Channel Partners Learn the Fundamentals of SASE

Earlier this week, Cato announced that the 600th graduate has completed the SASE Expert certification program. Business and technical professionals from around the world have... Read ›
Cato Offers a Free Certification Program to Help Customers and Channel Partners Learn the Fundamentals of SASE Earlier this week, Cato announced that the 600th graduate has completed the SASE Expert certification program. Business and technical professionals from around the world have sought out high-quality education to attain a baseline level of knowledge of this new approach to networking and security…and for good reason. Since SASE's introduction, Gartner has cautioned about the misinformation surrounding the architecture. As Gartner noted in its Hype Cycle for Network Security, 2020 report: "There will be a great deal of slideware and marketecture, especially from incumbents that are ill-prepared for the cloud-based delivery as a service model and the investments required for distributed PoPs. This is a case where software architecture and implementation matters." As more vendors announce their service offerings in the SASE arena, enterprise IT professionals and channel partners have grown confused over what constitutes a true SASE platform and how it compares to legacy technologies. Some traditional network vendors have added a security element to their hardware appliances, put them in the cloud, and call it “SASE”—but is it really SASE? Answering those questions isn’t merely an academic exercise. Understanding if the product fulfills the vision of SASE goes a long way to understanding if the product brings the benefits of SASE. SASE eliminates the legacy appliances that have made IT so complex. Instead, SASE converges networking and security processing into a global cloud-native platform. As cloud services, SASE architectures are easier to operate, save money, reduce risk, and improve IT agility. Cato Certification Addresses Market Confusion, Advances Professionals’ Knowledge of SASE The certification course content explores those architectural differences and provides enterprises and channel partners with a solid basis for understanding the SASE revolution. Curriculum highlights include: A detailed explanation of why enterprises need SASE today A close look at how Gartner explains the SASE architecture How SASE compares with legacy technologies Benefits and drawbacks of SASE for channel partners and enterprises What constitutes a true SASE platform Cato's certification program is for IT leaders of all levels. Recent graduates include enterprise network engineers, C-level executives, and channel partners looking to grasp SASE fundamentals. Participants learn sufficient baseline information to understand the advantages and rationale for SASE for their own company or their clients. The certification is available online for free. Participants take the courses at their own pace from anywhere in the world. To learn more about the SASE Expert certification program, visit https://www.catonetworks.com/sase/sase-expert-level-1/  

Remote Access Network Architecture and Security Considerations

The global pandemic spurred a massive work-from-home (WFH) wave quite literally overnight. Hundreds of millions of people worldwide were told to stay home to stay... Read ›
Remote Access Network Architecture and Security Considerations The global pandemic spurred a massive work-from-home (WFH) wave quite literally overnight. Hundreds of millions of people worldwide were told to stay home to stay safe, but they needed to keep working as best as possible. Enterprises responded to this sudden need for extensive remote network access by focusing on getting people connected—but connectivity often came at the expense of security. As WFH (or telework) becomes a long-term model for many organizations, it’s time to rethink the remote access network architecture with security as a priority, not just a “nice to have” consideration. Zero Trust Network Access (ZTNA) must be part of the long-term solution, and Secure Access Service Edge (SASE) can deliver ZTNA with ease. Long-term Telework Is Becoming the Norm The pandemic forced people out of their office and onto the dining room table with barely any notice to the IT teams who had to enable and support remote access. The immediate priority was to give people access to their work environment by any means available so they could maintain productivity. VPNs were the connectivity solution of choice for most harried IT teams. A year into the pandemic, many workers are still connecting to corporate resources from remote locations. What’s more, several large organizations have announced that WFH will be a permanent option for employees at least some of the time. Capital One, Facebook, Amazon, Gartner, Mastercard, Microsoft, Salesforce, PayPal, Siemens—these are just some of the companies that have adopted long-term remote work as the norm. VPNs are Giving Way to Zero Trust Security While VPNs provide traffic encryption and user authentication, they still present a security risk because they grant access to the entire network without the option of controlling granular user access to specific resources. There is no scrutiny of the security posture of the connecting device, which could allow malware to enter the network. To maintain proper security, traffic must be routed through a security stack at the VPN’s terminus on the network. In addition to inefficient routing and increased network latency, this can result in having to purchase, deploy, monitor, and maintain security stacks at multiple sites to decentralize the security load. Simply put, VPNs are a challenge – an expensive one at that – when it comes to remote access security. Enterprises are turning to a much more secure user access model known as Zero Trust Network Access (ZTNA). The premise of ZTNA is simple: deny everyone and everything access to a resource unless it is explicitly allowed. This approach enables tighter overall network security and micro-segmentation that can limit lateral movement in the event a breach occurs. The main advantage of ZTNA is its granular control over who gains and maintains network access, to which specific resources, and from which end user devices. Access is granted on a least-privilege basis according to security policies. But Zero Trust is only one part of a remote access solution. There are performance and ongoing security issues that aren't addressed by ZTNA standalone offerings. For example, all traffic still needs to undergo security inspection en route to its destination. This is where having ZTNA fully integrated into a SASE solution is most beneficial. SASE is a Secure Remote Access Solution Designed for the Modern Enterprise SASE converges Zero Trust Network Access, NextGen firewall (NGFW), and other security services along with network services such as SD-WAN, WAN optimization, and bandwidth aggregation into a cloud-native platform. Enterprises that leverage a SASE networking architecture receive the benefits of ZTNA, plus a full suite of converged network and security solutions that is both simple to manage and highly-scalable. The Cato SASE solution provides all this in a cloud-native platform. A key component of the Cato SASE platform is a series of more than 50 global Points of Presence (PoPs) located in virtually every region of the world. These PoPs house integrated security stacks comprised of Next-generation firewalls, secure web gateways, anti-malware, intrusion prevention systems, and of course, the ZTNA technologies. The PoPs are where all traffic from an organization’s corporate offices, branch offices, and remote and mobile users connect to their network. Thus, security is conveniently applied to all traffic at the PoP before going to its final destination—whether it’s to another branch, remote user, SaaS application, cloud platform, or the Internet. The PoPs themselves are interconnected by a private, high performance network. This network utilizes routing algorithms that factor in latency, packet loss, and jitter to get traffic to and from its destination optimally, favoring performance over the cost of transmission. To further enhance security, the connections between PoPs are completely encrypted. Cato’s SASE Platform Simplifies Secure Remote Access for WFH What does this mean for the remote access worker? The Cato SASE platform makes it very quick and easy to give optimized and highly secure access to any and all workers. For users in the office, access can be limited only to designated resources, complying with zero-trust principles. For remote and mobile users, Cato provides the flexibility to choose how best to securely connect them to resources and applications. Cato Client is a lightweight application that can be set up in minutes and which automatically connects the remote user to the Cato SASE Cloud. Clientless access allows optimized and secure access to select applications through a browser. Users simply navigate to an application portal, which is globally available from all of Cato’s 60+ PoPs, authenticates with the configured SSO, and are instantly presented with a portal of their approved applications. Both client-based and clientless approaches also use comply ZTNA to secure access to specific network resources. A zero-trust approach is essential for a secure remote workforce, and Cato’s solution allows an easy and effective implementation of ZTNA. For more information on how to secure your remote workforce, get the free Cato eBook Work From Anywhere for Everyone.

Network Security Solutions to Support Remote Workers and Digital Transformation

Attack surface – noun: The attack surface of an enterprise network environment is the sum of the different points (the attack vectors) where an unauthorized... Read ›
Network Security Solutions to Support Remote Workers and Digital Transformation Attack surface – noun: The attack surface of an enterprise network environment is the sum of the different points (the attack vectors) where an unauthorized user can try to enter the network to execute a malicious intent, such as stealing data or disrupting operations. A basic security measure is to keep the attack surface as small as possible. That’s a tall order as organizations undertake the simultaneous processes of digital transformation and network evolution. In addition to legacy data centers, enterprises now have extensive assets in the cloud as well as in branch and remote offices and, increasingly, in workers’ own homes. Such expansions have grown the attack surface exponentially. The way to shrink it back to a manageable size is with effective network security solutions, which in their own right require an evolution from legacy security appliances to a secure access service edge (SASE) architecture. By converging networking and security in the cloud, SASE provides enterprises with the means to monitor all traffic in real-time and apply strong defense mechanisms at every point of the attack surface, thus minimizing an attacker’s ability to succeed in his nefarious mission. SASE Solutions Converge Network and Security While Working with Legacy Architectures Digital transformation is high on every executive’s to-do list, and it’s founded on the principles of innovation, business agility, and speed of delivery of products and services. For most organizations, the cloud is a critical piece of their transformation. This has necessitated a rethink of the WAN architecture. The legacy hub-and-spoke architecture is pure kryptonite to cloud application performance. This has led enterprises to adopt SD-WAN technology, which enables them to eschew bringing all traffic back to a central data center and route traffic directly to branches or the cloud, as needed. Direct Internet access (DIA) is enabled as well. While SD-WAN can enhance application performance through traffic prioritization and steering, it fails to satisfy enterprise needs for strong security. What’s more, since SD-WAN appliances sit atop the underlying network infrastructure, the need for a high-performance and reliable network backbone is left unaddressed as well. Organizations require a WAN that is capable of optimizing traffic flow between any two points – not just to/from the enterprise LAN – without compromising security. The Cato Cloud, the world’s first SASE platform, enables an organization to achieve this. Cato converges SD-WAN, a global private backbone, a full network security stack, and seamless support for cloud resources and remote workers and their mobile devices. It is an architectural transformation that will working with existing legacy technologies also allows enterprise IT teams to advance networking and security to provide a holistic, agile, and adaptable service for the entire digital business. The Cato SASE solution is built on a cloud-native and cloud-based architecture that is distributed globally across 60+ Points of Presence (PoPs). All of the PoPs are interconnected with each other in a full mesh by multiple tier-1 carriers with SLAs on loss and latency, forming a high-performance private core network called the Cato Cloud. The global network connects and secures all edges—all locations, all users regardless of where they are, all clouds, and all applications. The PoPs also are where security is deployed, making it available to all traffic entering the Cato Cloud network. This is far more practical and cost effective than deploying security appliances at the various branch and home office locations. Native Security is a Core Component of the Cato Cloud Security has never been an add-on feature for Cato; rather, it’s a core component that has been built-in from the ground up. The networking component and the security component are part of the same code base. As traffic passes through the network, it is evaluated simultaneously for security issues and network routing—and then it is routed over Cato’s private backbone. Having network and security all on one platform, in a single-pass solution, has the advantage of deep visibility at wire-speed even if the traffic is encrypted. The security inspection tools see everything on the network, not just logs. This provides deep and broad context – in Cato’s case, the context of all customers, not just one – to understand everything that is happening on the network and catch threats earlier in the kill chain. And it’s all delivered as a service, so that customers don’t need to maintain anything. Among the full stack of security detection tools provided by Cato are: Next Generation Firewall (NGFW) The Cato NGFW inspects both WAN and Internet traffic. It can enforce granular rules based on network entities, time restrictions, and type of traffic. The Deep Packet Inspection (DPI) engine classifies the relevant context, such as application or services, as early as the first packet and without having to decrypt the payload. Cato provides a full list of signatures and parsers to identify common applications. In addition, custom application definitions identify account-specific applications by port, IP address or domain. Secure Web Gateway (SWG) The SWG provides granular control over Internet-bound traffic, enabling enforcement of corporate policies and preventing downloads of unwanted or malicious software. There are predefined policies for dozens of different URL categories and support custom rules, enhancing the granularity of web access control. The SWG is easily managed through Cato’s management portal and covered by a full audit trail. Next Generation Anti-Malware (NGAV) Cato’s Malware Detection and Prevention leverages multi-layered and tightly-integrated anti-malware engines. First, a signature and heuristics-based inspection engine, which is kept up-to-date at all times based on global threat intelligence databases, scans files in transit to ensure effective protection against known malware. Second, Cato has partnered with SentinalOne to leverage machine learning and artificial intelligence to identify and block unknown malware. Unknown malware can come as either zero-day attacks or, more frequently, as polymorphic variants of known threats that are designed to evade signature-based inspection engines. With both signature and machine learning-based protections, customer data remains private and confidential, as Cato does not share anything with cloud-based repositories. Intrusion Prevention System (IPS) Cato delivers a fully managed and adaptive cloud-based IPS service. Cato Research Labs updates, tunes and maintains context-aware heuristics, both those developed in house (based on big-data collection and analysis of customers’ traffic) and those originating from external security feeds. This dramatically reduces the risk of false positives compared to other IPSs that lack an experienced SOC behind them. Cato Cloud scales to support the compute requirements of IPS rules, so customers don’t have to balance protection and performance to avoid unplanned upgrades as processing load exceeds available capacity. Software Defined Perimeter (SDP) Also known as Zero Trust Network Access, or ZTNA, a cloud-native software defined perimeter delivers secure remote access as an integral part of a company’s global network and security infrastructure. A global, cloud-scale platform supports any number of remote users within their geographical regions. Performance improves with end-to-end optimized access to any application using a global private backbone. Risk is minimized before and after users access the network through strong authentication and continuous traffic inspection for threat prevention. Cloud-native SDP makes mobile access easy — easy to deploy, easy to use, and easy to secure. All the tools listed above are essential to enterprise security. Cato also has a service offering of Managed Threat Detection and Response (MDR). Cato’s MDR enables enterprises to offload the resource-intensive and skill-dependent process of detecting compromised endpoints to the Cato SOC team. Cato automatically collects and analyzes all network flows, verifies suspicious activity, and notifies customers of compromised endpoints. This is the power of networking and security convergence to simplify network protection for enterprises of all sizes. Full Network Security Couldn’t Be Easier All of these network security solutions are delivered as a service, from the cloud, so there is never anything for the customer to install, update or maintain. The software and all its capabilities are fully integrated and always up to date. It is the best approach to keeping the attack surface of an enterprise network as small as possible, all while fully supporting an organization’s digital transformation needs. For more information, contact Cato and ask for a demo today.

Why Large Enterprises Moved to Cato in 2020

Today, Cato reported its 2020 financial results. On the surface, the results might seem to simply mark the strong financial growth that’s come to define... Read ›
Why Large Enterprises Moved to Cato in 2020 Today, Cato reported its 2020 financial results. On the surface, the results might seem to simply mark the strong financial growth that’s come to define Cato: over 200 percent bookings growth for the fourth consecutive year, a more than $1B valuation, and an additional $130 million funding round. But just as significant as the financial facts and figures were the causes propelling that growth. Cato saw significant increases in customer scale and complexity. Multiple, 1000+ site deployments and several Fortune 500 and Global 200 enterprises abandoned telco- and MSP-managed networks for Cato’s cloud-native service. All of which begs the question, what drove larger enterprises to Cato in 2020? Platform Agility Allows Large Enterprises to Address Many Challenges, Easily Large enterprises — and enterprises of all sizes — come to Cato for many reasons. In some cases, they come looking for MPLS migration to SD-WAN or Secure Branch Internet Access, in other cases it’s for Cloud Acceleration and Control and Remote Access Security and Optimization. But regardless of why they came to Cato, the overwhelming majority of Cato customers end up using Cato for networking and security. They may replace MPLS with Cato’s affordable backbone but they also use Cato to secure the branch. They come to Cato for SD-WAN but they also connect and secure branch offices and mobile users. This ability to address a wide range of networking and security use cases with a single, coherent platform has long drawn midsize enterprises but in 2020 has shown to be equally attractive to large deployments. And why not? Simplifying the network leads to cost savings, greater agility, better uptime, reduced attacked surface that attackers can exploit and more. Every IT leader wants those benefits. During 2020, one Fortune 500 grocery chain came to Cato to replace MPLS connecting its 500+ stores. Today, the company also relies on Cato to protect users with Cato IPS and NextGen anti-malware security services, while leveraging Cato’s Hands-Free Management service for easy administration. Similarly, avoiding MPLS costs motivated a major car rental company to shift to Cato. The company connected 1,000+ locations across Cato’s global private backbone and protected them with Cato security services. A leading construction company had 1200+ locations connected by legacy networking services. It replaced those services with Cato while also securing all sites with Cato IPS, NextGen Anti-Malware, and relying on Cato’s Hands-Free Management service for easy administration. To be clear, enterprises don’t have to use Cato security services. Companies typically migrate gracefully to Cato, often deploying Cato alongside legacy technologies. But it’s this technical agility, the ability to easily and cost-effectively meet a broad range of requirements that allows large enterprises to meet the scope of their challenges. Service Agility Allows Cato To Accommodate Enterprise Needs The second part of agility is in the service. With Cato having written the code for its SASE platform, features can be introduced far faster than if the service had been dependent on third-party appliances. When a global automotive parts manufacturer with 40,000 employees had that rare opportunity to start from a clean slate and build a modern network from scratch, the enterprise rigorously evaluated many networking and security architectures, eventually choosing Cato to connect and secure its 76 locations and 15,000 remote users. Part of why they selected Cato was the agility to meet their unique requirements. “I don’t know of another company I have worked with, in a very long time that can make the changes you have as quickly as you have,” remarked the network engineer at the enterprise. Partners had a similar reaction. Last fall, Cato announced the Cato Cloud API for automating provisioning and monitoring from SIEMs and other third-party platforms. The team at CDW, an early adopter of the Cato Cloud API, was also impressed by Cato’s agility. “What struck us most was how fast Cato was able to produce the API. There wasn't even any back-and-forth. It was usable as soon as we got it,” says Mark Hurley, Product Manager of Enterprise Networking Services Research and Design at CDW. During 2020, Cato saw channel-led customer bookings grow by 240%. Overall, Cato added 136 new features and 2725 enhancements in 2020. Along with Cato Cloud API, other new capabilities included support for: 2 Gbps secure tunnels, exceeding all competing SASE offerings for locations and end-users. Remote user connectivity without end-point software using Clientless Remote Access extending Cato’s SDP offering. Near perfect threat detection by eliminating IPS false positives using Cato’s new built-to-purpose reputation assessment system that combines threat intelligence feeds and real-time network information. During 2020, Cato expanded Cato’s geographic footprint, adding eight new points of presence (PoPs). With more than 60 PoPs worldwide, Cato can connect enterprises offices, remote/mobile users, and cloud resources whether they’re located near Casablanca, Morrocco; Dubai, UAE; Lima, Peru or near dozens of other locations. Cato SASE Platform: The Agile Solution for Today’s Digital Enterprise It’s this combination — an agile technology platform with an agile service culture — that’s so appealing to so many of our customers. It gives them the confidence that they’ll be able to address the challenges of today and be prepared for those of tomorrow. Large enterprises might have “discovered” Cato in 2020 but wait till you see what’s in store for 2021. To find out more about SASE adoption in your enterprise with Cato, contact us here.

SASE vs. SD-WAN: Achieving Cloud-Native WAN Security

For several years now, the network evolution spotlight has been on SD-WAN, and rightfully so. SD-WAN provides big advancements in connecting branch locations into central... Read ›
SASE vs. SD-WAN: Achieving Cloud-Native WAN Security For several years now, the network evolution spotlight has been on SD-WAN, and rightfully so. SD-WAN provides big advancements in connecting branch locations into central data centers in a cost-effective manner. It is the networking equivalent of a killer application that allows companies to use a variety of transport mechanisms besides MPLS and to steer traffic according to business priorities. Now the spotlight is shifting to the next evolution of networking: the secure access service edge (SASE). Like SD-WAN, SASE is a technology designed to connect geographically dispersed branches and other endpoints to an enterprise’s data and application resources. While there is some overlap in what the two technologies offer – in fact, SD-WAN is a component of SASE – there are significant differences in capabilities, not the least of which is network security. If SD-WAN gained traction for its flexible connectivity options, then SASE will be defined by its ability to seamlessly deliver full security to every edge on the network. Enterprises Need a Distributed Network Architecture Every enterprise, regardless of industry or geography, has a need for secure, high-performance, and reliable networking. In a bygone era, a hub-and-spoke networking architecture centered around an on-premise data center would have met that need—but not so today. A distributed network architecture is critical to support the increasing use of cloud platforms, SaaS applications, and especially remote and mobile workers. This last requirement is ever more important in a world still experiencing a global pandemic. And even as we eventually move to a post-Covid-19 era, there will be a significant need to support people who continue to work from home, either permanently or occasionally, as well as those who return to the office. SD-WAN Is a Step in the Right Direction SD-WAN is a software-based approach to building and managing networks that connect geographically dispersed offices. It uses a virtualized network overlay to connect and remotely manage branch offices, typically connecting them back to a central private network, though it also can connect users directly to the cloud. SD-WAN provides optimal traffic routing over multiple transport media, including MPLS, broadband Ethernet, 4G LTE, DSL, or a combination thereof. However, SD-WAN appliances sit atop the underlying network infrastructure. This means the need for a reliable, well performing network backbone is left unaddressed by SD-WAN appliances alone. In general, SD-WAN appliances are not security appliances. For example, to achieve the functionality of a Next-Generation Firewall (NGFW), you need to add a discrete appliance at the network edge. This only leads to complexity and higher costs as more security services are added as discrete appliances or virtual functions. Another option is known as Secure SD-WAN, a solution which integrates a full security stack into an SD-WAN appliance. In this case, the solution’s effectiveness is limited by the deployment locations of the SD-WAN appliances, which are typically installed at each branch. Security is only applied for the traffic at the branch. What’s more, in deployments covering multiple branches, each appliance needs to be maintained separately, which provides the potential for out-of-sync policies and out-of-date software. Another shortcoming of SD-WAN is that by design, networking appliances are built for site-to-site connectivity. Securely connecting work-from-home or mobile users is left unaddressed by SD-WAN appliances. While SD-WAN delivers some important benefits, networking appliances alone are not a holistic solution. That’s where SASE comes in. SASE Is the Future of Secure Enterprise Networking SASE takes all the capabilities of Secure SD-WAN and moves them to a cloud-based solution, which effectively eliminates geographic limitations. But more than that, the SASE approach converges SD-WAN, a global private backbone, a full network security stack, and seamless support for cloud resources and mobile devices. It is an architectural transformation of enterprise networking and security that enables IT to provide a holistic, agile, and adaptable service to the digital business. The Cato SASE solution is built on a cloud-native and cloud-based architecture that is distributed globally across 60+ Points of Presence (PoPs). All the PoPs are interconnected with each other in a full mesh by multiple tier-1 carriers with SLAs on loss and latency, forming a high-performance private core network called the Cato Cloud. The global network connects and secures all edges—all locations, all users regardless of where they are, all clouds, and all applications. Cato uses a full enterprise-grade network security stack natively built into the Cato Cloud to inspect all WAN and Internet traffic. Security layers include application-aware next-generation firewall-as-a-Service (FWaaS), secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAV), and managed IPS-as-a-Service (IPS). Cato can further secure a customer’s network with a comprehensive Managed Threat Detection and Response (MDR) service to detect compromised endpoints. All security layers scale to decrypt and inspect all customer traffic without the need for sizing, patching, or upgrading of appliances and other point solutions. And because Cato runs a distributed, cloud-native architecture, all security functions are performed locally at every PoP, eliminating the latency legacy networks introduced by backhauling traffic for security inspection. Importantly, in this age of work-from-home, Cato’s SASE solution easily supports mobile and remote users. Giving end users remote access is as simple as installing a client agent on the user’s device, or by providing clientless access to specific applications via a secure browser. All security and network optimization policies that applied to users in the office instantly apply to them as remote users. Moreover, the platform can scale quickly to any number of remote users without worry. For SASE, It Has to Be Cloud-Native Security It wasn’t long ago that networking and enterprise security were different disciplines. Silos, if you will. But today, with users working everywhere, security and networking must always go together. The only way to protect users everywhere at scale without compromising performance is the cloud. Converging security and networking together into a genuine cloud service with a single-pass, cloud-native architecture is the only way to deliver high performance security and networking everywhere. That’s the power of SASE. For more information, contact us or ask for a demo. Get the free e-book Secure Access Service Edge for Dummies.

Why Remote Workforce and Legacy Security Architectures Don’t Mix

Last week, we announced the results of our fifth annual IT survey, The Future of Enterprise Networking and Security: Are You Ready for the Next... Read ›
Why Remote Workforce and Legacy Security Architectures Don’t Mix Last week, we announced the results of our fifth annual IT survey, The Future of Enterprise Networking and Security: Are You Ready for the Next Leap. It was a massive undertaking that saw 2,376 participants from across the globe provide detailed insights into how their organizations responded to the COVID-19 crisis, their plans for next year, and what they think about secure access service edge (SASE). When the dust settled and the results tallied, we found an optimistic group of IT leaders, confident in their networks but concerned about securing and managing their remote workforce. Make no mistake about it, work-from-home (WFH) and the remote workforce aren’t going away any time soon. Only 7%of respondents indicated that everyone will move back to the office. More than half (80%) indicated their companies will continue with a remote workforce in whole or in part. With users working remotely, IT organizations still need the same level of security controls and visibility. But delivering those capabilities can’t be done by compromising application performance. And that’s a problem for legacy security architectures as they add latency, crippling application performance, and lack the optimization techniques for improving the remote experience. It’s no surprise then that boosting remote access performance was the most popular primary focus for IT leaders over the next 12 months (47% of respondents). At the same time, when asked to cite the primary security challenges facing their IT organizations, 58% of respondents pointed to “enforcing corporate security policies on remote users” making it second to only “Defending against emerging threats like malware/ransomware” (66% of respondents). But the problems of securing the remote workforce don’t stand on their own. They’re compounded by all of the legacy security challenges facing IT teams. More than half (57% of respondents) indicated that they lacked sufficient time and resources to implement security best practices. And those best practices can be as mundane as patching software and systems shortly after vendors release patches (32% of respondents). Astounding. In the 21st century with networks that have seen throughput jump ten thousand-fold over the past 30 years and we still have patching problems? IT managers shouldn’t blame themselves, though. It’s clear where the problem lies — in the architecture. As Cato security engineer, Peter Lee, noted in this blog when documenting the vulnerability and subsequent patches issued for VPN servers: “Patching has become so common that we just assume that’s the way it has to be. “Patch Tuesday” has us expecting fixes to problems every week. In reality, patching is an artifact of the way all appliances are built. If we eliminate the appliance architecture, we can eliminate the overhead and risk of patches.” Eliminating appliances will not only eliminate patching problems, it will also eliminate the performance and visibility challenges introduced by legacy security architectures. Of course, this assumes enterprises can replace legacy security architectures with an approach that will: Simplify today’s security stack Eliminate the patching headaches Deliver secure access everywhere, at scale, without compromising performance Give visibility and control into all traffics flows What architecture will do that? According to respondents — SASE. More than 91% of respondents expect SASE to simplify management and security. Of those who’ve already adopted SASE, 86% of respondents experienced increased security, 70% indicated time savings in management and maintenance, 55% indicated overall cost saving and greater agility, 36% saw fewer complaints from remote users, and 36% realized all these benefits. No wonder that more than half of the respondents indicated that SASE would be very or extremely important to their business post COVID-19. Isn’t it time you considered SASE? To learn more about Cato’s SASE platform, contact us here.

SD-WAN or SASE: The Power is in the Platform

As enterprises set out to modernize their networks, SD-WAN has become a key networking technology for connecting offices. But with COVID-19, users transitioned to work... Read ›
SD-WAN or SASE: The Power is in the Platform As enterprises set out to modernize their networks, SD-WAN has become a key networking technology for connecting offices. But with COVID-19, users transitioned to work at home, not in the office. What’s the alternative? Buy more VPN servers? That’s short-term thinking, and only effective until enterprises need to change again, and users move back to the office. Then IT’s left with an infrastructure investment sitting underutilized. No, to support the new requirements of the post-pandemic era, enterprises need a new strategy, one that addresses the needs of an uncertain working environment. A Platform Rather than a Product The biggest challenge for this new strategy is that it’s not clear as to what those needs will be. Yes, we need to have large scale, high performance remote access today but that was a problem for IT back in January and March. What are tomorrow’s challenges? That’s harder to foresee. And since you don’t yet know what problems will arise, you can’t possibly buy a product to prepare for tomorrow – unless, of course, you’re prepared to gamble with your budget. What you can do, though, is put in place a solution that has ALL the capabilities you’ll need but only activate those needed today. When new work conditions present themselves, the right platform can adapt quickly. Such a platform should be agnostic of the last-mile technologies. It should be lean enough to run anywhere on any device, connecting any kind of location – a branch, datacenter, or cloud resource. And it should have the geographical footprint, security capabilities, and optimization technologies to securely connect users across the globe without comprising the user experience. A decade ago, such a comprehensive, global platform wasn’t possible. Today, though, the necessary networking and security technologies have matured to the point that they can be converged together. The Internet is everywhere. Processing resources are ubiquitous in the cloud. And 90 percent of the capabilities of routers, firewalls, and now, SD-WAN are common across vendors. The real value then comes not in any one product but in the convergence of those capabilities together. Yes, SD-WAN is one of the capabilities in such a platform, but SD-WAN alone is not the answer. SD-WAN appliances are products aimed at addressing a very particular problem – the limitations of MPLS and legacy networks. They won’t connect your mobile users or solve your long-term remote access challenges because SD-WAN solutions are built for the branch. They also don’t secure users or sites against malware. SD-WAN solutions also fail to provide the backbone for predictable, global performance. To address these and other gaps, you’ll need yet more hardware or software limiting IT agility, fragmenting visibility, and increasing costs. Comprehensive Visibility and Management Remain Critical As we tackle new challenges with point solutions, we risk creating greater management problems for ourselves. Add a new security solution – new type of firewall, a SWG, or IPS – and you have yet another product to manage and maintain. Your visibility into the network becomes fragmented if you have one console for SD-WAN and another for the firewall, or global backbone provider. And once your view is fragmented, troubleshooting becomes dramatically more complex. Having all technologies in one platform allows for a single-pane-of-glass. IT managers can see networking and security events in one interface for all users – at home or in the office – accessing any resource – in the cloud or in a private datacenter. Such holistic insight improves all facets of network and security operations from planning to provisioning new resources to troubleshooting. And management delivery should be flexible enough to meet enterprise requirements. With self-service, enterprises configure and troubleshoot the networks themselves, doing in seconds what otherwise required hours or days with legacy telcos. For additional assistance, co-management should be available allowing customers to rely on ongoing support from the provider or its partners without relinquishing control for overall management. Fully managed offloads responsibility for moves, adds, and changes onto provider. Support Well, Run Fast A company’s network is critical infrastructure. It is the lifeblood of the organization’s communications and, quite often, its operations. Therefore, the customer/provider relationship should be viewed by both sides as a true partnership where each one can only succeed with full support from the other. Such a partnership can be hard to establish when a vendor just wants to sell a product and move on to the next opportunity. It requires companies to not only support customers well but also innovate fast. By owning the platform, providers can deliver new features independent of any supplier. It’s the kind of innovation we’ve seen in cloud services but not telcos and legacy carriers. It’s up to you, though, to find providers that live up to this vision. Making the Technology Transition to SASE SD-WAN is a sophisticated technology, but it’s meant for meeting the challenges of yesterday not to tomorrow. The Secure Access Service Edge (SASE) is a comprehensive platform that blends SD-WAN with security and remote access many other capabilities to meet whatever challenges you face today and, tomorrow. For more information about selecting SASE and the right partner for WAN transformation, watch the on-demand webinar -- The Dark side of SD-WAN.

Types of Remote Access Technologies for Enterprises

Long before the global pandemic made its way around the world, enterprises were already providing at least some of their workers the ability to work... Read ›
Types of Remote Access Technologies for Enterprises Long before the global pandemic made its way around the world, enterprises were already providing at least some of their workers the ability to work remotely. Whether it was salespeople on the road, or telecommuters working from home a few days per week, some small percentage of employees needed access to their corporate resources from some remote location. Then it seemed that overnight, millions of workers worldwide were told to isolate and work from home as best as they could. Businesses were suddenly forced to enable remote access for hundreds or thousands of users, all at once, from anywhere across the globe. Many companies that already offered VPN services to a small group of remote workers scurried to extend those capabilities to the much larger workforce sequestering at home. It was a decision made in haste out of necessity, but now it’s time to consider, is VPN the best remote access technology for the enterprise, or can other technologies provide a better long-term solution? Long-term Remote Access Could Be the Norm for Some Time Some knowledge workers are trickling back to their actual offices, but many more are still at home and will be for some time. Global Workplace Analytics estimates that 25-30% of the workforce will still be working from home multiple days a week by the end of 2021. Others may never return to an official office, opting to remain a work-from-home (WFH) employee for good. Consequently, enterprises need to find a remote access solution that gives home-based workers a similar experience as they would have in the office, including ease of use, good performance, and a fully secure network access experience. What’s more, the solution must be cost effective and easy to administer without the need to add more technical staff members. VPNs are certainly one option, but not the only one. Other choices include appliance-based SD-WAN and SASE. Let’s have a look at each approach. VPNs Weren’t Designed to Support an Entire Workforce While VPNs are a useful remote access solution for a small portion of the workforce, they are an inefficient technology for giving remote access to a very large number of workers. VPNs are designed for point-to-point connectivity, so each secure connection between two points – presumably a remote worker and a network access server (NAS) in a datacenter – requires its own VPN link. Each NAS has a finite capacity for simultaneous users, so for a large remote user base, some serious infrastructure may be needed in the datacenter. Performance can be an issue. With a VPN, all communication between the user and the VPN is encrypted. The encryption process takes time, and depending on the type of encryption used, this may add noticeable latency to Internet communications. More important, however, is the latency added when a remote user needs access to IaaS and SaaS applications and services. The traffic path is convoluted because it must travel between the end user and the NAS before then going out to the cloud, and vice versa on the way back. An important issue with VPNs is that they provide overly broad access to the entire network without the option of controlling granular user access to specific resources. Stolen VPN credentials have been implicated in several high-profile data breaches. By using legitimate credentials and connecting through a VPN, attackers were able to infiltrate and move freely through targeted company networks. What’s more, there is no scrutiny of the security posture of the connecting device, which could allow malware to enter the network via insecure user devices. SD-WAN Brings Intelligence into Routing Remote Users’ Traffic Another option for providing remote access for home-based workers is appliance-based SD-WAN. It brings a level of intelligence to the connectivity that VPNs don’t have. Lee Doyle, principal analyst with Doyle Research, outlines the benefits of using SD-WAN to connect home office users to their enterprise network: Prioritization for mission-critical and latency-sensitive applications Accelerated access to cloud-based services Enhanced security via encryption, VPNs, firewalls and integration with cloud-based security Centralized management tools for IT administrators One thing to consider about appliance-based SD-WAN is that it’s primarily designed for branch office connectivity—though it can accommodate individual users at home as well. However, if a company isn’t already using SD-WAN, this isn’t a technology that is easy to implement and setup for hundreds or thousands of home-based users. What’s more, a significant investment must be made in the various communication and security appliances. SASE Provides a Simpler, More Secure, Easily Scalable Solution Cato’s Secure Access Service Edge (or SASE) platform provides a great alternative to VPN for remote access by many simultaneous workers. The platform offers scalable access, optimized connectivity, and integrated threat prevention that are needed to support continuous large-scale remote access. Companies that enable WFH using Cato’s platform can scale quickly to any number of remote users with ease. There is no need to set up regional hubs or VPN concentrators. The SASE service is built on top of dozens of globally distributed Points of Presence (PoPs) maintained by Cato to deliver a wide range of security and networking services close to all locations and users. The complexity of scaling is all hidden in the Cato-provided PoPs, so there is no infrastructure for the organization to purchase, configure or deploy. Giving end users remote access is as simple as installing a client agent on the user’s device, or by providing clientless access to specific applications via a secure browser. Cato’s SASE platform employs Zero Trust Network Access in granting users access to the specific resources and applications they need to use. This granular-level security is part of the identity-driven approach to network access that SASE demands. Since all traffic passes through a full network security stack built into the SASE service, multi-factor authentication, full access control, and threat prevention are applied to traffic from remote users. All processing is done within the PoP closest to the users while enforcing all corporate network and security policies. This eliminates the “trombone effect” associated with forcing traffic to specific security choke points on a network. Further, admins have consistent visibility and control of all traffic throughout the enterprise WAN. SASE Supports WFH in the Short-term and Long-term While some workers are venturing back to their offices, many more are still working from home—and may work from home permanently. The Cato SASE platform is the ideal way to give them access to their usual network environment without forcing them to go through insecure and inconvenient VPNs.

Cato Engineers Review Favorite SASE Features

At Cato, we pride ourselves not only on the performance and airtight security of the Cato platform but the power and ease of use of... Read ›
Cato Engineers Review Favorite SASE Features At Cato, we pride ourselves not only on the performance and airtight security of the Cato platform but the power and ease of use of its management tools. Cato’s cloud-based interface puts a lot of granular configuration power in the hands of the customers, rather than forcing them to wait hours or days for the provider to make each configuration change. Cato also provides unparalleled visibility into WAN traffic and security. In Cato’s Sales Engineers Demo and Interview Video Series, our sales engineers show you their Cato favorites. Dive in with them as they demonstrate how to set bidirectional quality of service, utilize Cato’s Zero Trust Network Access (ZTNA) capabilities, and deep dive into bandwidth management and analytics. How to Configure and Monitor ZTNA with Cato in Minutes - by Jerry Young: In 10 minutes, learn how to configure Cato’s Zero Trust Network Access (ZTNA) and then track and monitor access events. Jerry shows how easy it is when you use the right DNS settings, making sure that access is enforced correctly, unaffected by IP address changes. Watch as he defines ZTNA to specific hosts, applications, and users and demonstrates how access events are recorded and audited.   How a SASE with a Private Backbone Optimizes Access to Cloud Applications - by Nick Gagliardi: Nick shows how to optimize WAN traffic to specific cloud applications by keeping it on Cato’s global private backbone rather than public Internet. He demonstrates how simple it is to set an egress rule that keeps a specific cloud application’s network traffic on the Cato global private backbone, where it benefits from all the optimization and security of Cato’s SASE platform and performs as well as private applications hosted on private datacenters. Keep watching until the end to see what’s #1 on Netflix in Germany….even if you’re in the US.   What Modern, SASE-based Network Monitoring Should Look Like - by Mark Bayne: Cato’s Senior Director of Worldwide Sales Engineering, Mark Bayne, takes you through the many layers of Cato’s SASE monitoring tools. He starts with the basic connectivity metrics, then proceeds into configuring individual application usage leveraging Cato’s application awareness technology and demonstrates Cato’s unique real-time views of live application prioritization, routing, and user access.   Bi-directional QoS, Advanced Bandwidth Management, and Real-Time Application Analytics - by Jack Dolan: Experience the power of Cato’s bi-directional QoS, advanced bandwidth management, and real-time application analytics. Jack explains Cato’s Cloud SASE architecture in detail, including how network traffic is routed, managed, and optimized. Moving through the management console, he demonstrates how to set network rules to control traffic priorities, and how Cato’s advanced and real-time analytics give IT leaders an unprecedented view into their WAN.   How to Configure VoIP and ERP Optimization for 3,000 Global Employees Across the World in Minutes - by Sylvain Chareyre: Experience Cato agility with Sylvan as he shows how an IT manager can make enterprise-wide network changes instantly. In less than 10 minutes, Sylvain demonstrates how to deploy worldwide unified communications as a service (UCaaS) for 3,000 users, optimize access to an on-premises ERP system, and prepare the network for cloud migration.      

The Best Networking Memes of 2020

Throughout the year, Catoians gather and share memes internally about a host of topics. This year, we developed a very unscientific algorithm for ranking those... Read ›
The Best Networking Memes of 2020 Throughout the year, Catoians gather and share memes internally about a host of topics. This year, we developed a very unscientific algorithm for ranking those memes and sharing the very best. Big thanks to Cato’s Daniel Avron, Jerry Young, Oded Engel, and Oren David for their scouring the Internet efforts. And without further ado… #10 The Best Quote of 2020   #9 The Biggest Threat of the Year   #8 The Best Depiction of Work Life Under Covid-19   #7 The Best Label for a LAN cable   #6 The Best Depiction of Dual Factor Authentication   #5 The Best Example of Worthwhile Remote Work   #4 The Best Example of COVID-19’s Impact on Networking   #3 The Best Explanation of an Always On/Never Off Feature   #2 The Best Explanation of Application Developers vs. Application Testers   #1 The Best Consequence of Privacy Laws   And just in case you haven’t had enough...…. Best Contribution COVID-19 Has Made to Society   Best Usability Lesson  

Stopping Sunburst: The Second-Best Argument for a SASE Platform

It’s likely been the most sophisticated publicized attack in the past decade. For more than nine months, Sunburst, the trojan designed for SolarWinds Orion, lurked... Read ›
Stopping Sunburst: The Second-Best Argument for a SASE Platform It's likely been the most sophisticated publicized attack in the past decade. For more than nine months, Sunburst, the trojan designed for SolarWinds Orion, lurked undetected in enterprise networks. Some 18,000 SolarWinds customers may have downloaded the trojanized Orion software, and not one reported the threat. (To better understand why this threat went undetected, check out this blog from Shay Siksik, Cato's Security Analyst Manager. ) And these weren't small, unprofessional organizations. More than 425 of the US Fortune 500 companies use SolarWinds products. These are enterprises who likely invested in all manners of preventive security measures. They've made heavy investments in NGFW appliances, antimalware, endpoint detection and response (EDR), and more. And still, it didn't matter. If you ever needed a lesson that security prevention isn't enough, Sunburst was it. But there was a second, equally important lesson to consider from this outbreak: What do you do post-infection? For appliance-studded enterprises, post-infection looks like a race against time. They need to update infrastructure against the trojan, and hunt for the trojan on their networks before any further damage can be done. In this, the real-world, security appliance vendors priding themselves on how quickly they released a Sunburst signature is only half the story. Enterprises must still download, test, and deploy those signatures across all appliances for all vendors — an enormous headache. They must then hunt for Sunburst lurking in their organization — an impossible task without months of traffic already logged for analysis. No security appliance vendor is going to help on that score. Contrast that with the experience of Cato SASE customers. Within a few minutes of identifying Sunburst's IoCs, our security team updated all Cato detection and prevention engines. Instantly, all Cato customers were protected against the trojan. No patches needed to be downloaded; no updates applied. Customers or partners —no further action was needed. Period. But that was only a start. Cato's security team mined months of data stored in our massive data warehouse built from all customers' traffic flows. Through this process, the security team could identify network flows from those enterprises exhibiting Sunburst IoCs. The team alerted the relevant customers and helped them with remediation. The team will continue monitoring all Cato customer traffic for Sunburst moving forward. And how long did this entire process take the Cato team? Few hours. In just a few hours, Cato was able to protect all customers against this threat, and identify and alert those already infected by Sunburst. Let's be clear. There's no substitute for stopping threats before they penetrate defenses. We all know that. But the reality is that given the complexity of today's networks, the first-mover advantage of attackers, and the enormous resources available to threat actors, perfect prevention is impossible. Enterprises must prepare themselves for what happens after learning about a threat. How do you discover and hunt for threats in your organizations? In legacy enterprises, such an effort would have required enormous expenditures. Aggregation tools deployed to gather the data and storage purchased and maintained to store months of traffic. Data mining and analysis tools are needed to investigate the data. And, most of all, hiring of specialized talent for hunting threats. More likely, companies would rely on an MSSP. Even then, the MSSP would still have to race against time, manually updating appliances and struggling to look for threats. But for customers of a true SASE platform, like Cato Cloud, automatic updates to all components and threat hunting are already part of the service. Sunburst: Yet Another Argument for SASE 2020 has been an auspicious year for security and networking teams. We began by learning about the fundamental shift in networking and network security called secure access service edge (SASE). Quickly, we saw the biggest argument for SASE — the need to shift to large-scale, work-from-home. Whereas legacy enterprise spent weeks and months deploying large scale, work-from-home solutions, Cato SASE customers converted to remote access in minutes and hours. How appropriate then that we should close the year with another case for SASE — quick and instant response to Sunburst. To learn more about how Cato's SASE platform can help you ready your network for whatever comes next, contact us here.

MPLS Upgrade for the Modern Enterprise

If you are about to renew your MPLS contract, or if you need to upgrade your capacity—STOP! Don’t commit to another year of MPLS until... Read ›
MPLS Upgrade for the Modern Enterprise If you are about to renew your MPLS contract, or if you need to upgrade your capacity—STOP! Don’t commit to another year of MPLS until you’ve had time to consider if it’s the right technology to carry your business forward. Modern enterprises now have alternatives to MPLS that are more flexible and just as reliable for building a WAN. Not only is MPLS expensive and inflexible but it’s also poorly suited for meeting the needs of organizations that embrace cloud computing, SaaS applications, and a mobile/remote workforce. If it’s been a while since you’ve shopped around for network connectivity, you need to know that you can switch your dedicated and expensive MPLS network to a cloud-based network and still sustain the service levels your business needs, maintain security, cut costs, and improve overall agility and flexibility. MPLS Can’t Adapt to Changing Traffic Patterns, and Other Drawbacks Every enterprise has a need for secure, high-performance, and reliable networking. For decades now, organizations have built their WANs using MPLS circuits to connect branch offices back to the corporate home office. Until recently, MPLS circuits were not only the logical choice but the only choice for high-performance branch connectivity. The advent of cloud computing and high adoption rates for SaaS applications are real disruptors for WANs built on an MPLS-based hub-and-spoke architecture. MPLS is optimized for point-to-point connectivity only. Workers in branch offices have no direct means of reaching the Internet for cloud or SaaS applications. Their traffic can only be backhauled to headquarters over the MPLS lines and then sent out to the cloud. This “hair pinning” of traffic just adds latency and creates performance issues. It certainly fails to meet today’s needs when a large percentage of traffic is cloud bound. Consider that Microsoft 365 is the world’s most widely used cloud service – 56% of organizations around the world use it – but 365 isn’t designed to work over a legacy MPLS WAN. There are other shortcomings of MPLS for modern enterprises. For example, security can be an issue. An MPLS network doesn’t offer built-in data protection, and if incorrectly implemented, it can open the network to vulnerabilities. Cost can be an issue too, especially when compared to alternatives that use the Internet as a transport mechanism. In that comparison, MPLS has a much higher per-megabit price. What’s more, MPLS offers no mechanism to support individual users who work remotely or who must be highly mobile. For enterprises with a global or multi-national footprint, it can take a long time – perhaps as long as half a year – to deploy MPLS in different countries. There is no single global provider of MPLS, and so an enterprise must work through a broker or accept that it must manage numerous service providers. But perhaps the biggest drawback is a lack of control over the network. The service provider(s) has an outsized role in managing the network. Is SD-WAN the Alternative to an MPLS Upgrade? For several years now, pundits have touted SD-WAN as an alternative – or at least a complement – to MPLS. Certainly, SD-WAN has been looking to address the challenges of MPLS, like cost, capacity, rigidity, and manageability. An SD-WAN edge can dynamically route traffic over multiple data services (cable, xDSL, 4G/LTE, and even MPLS) based on the type of traffic and the quality of the underlying service. An enterprise can easily increase capacity available for production by adding inexpensive data services to an existing MPLS-based network. Zero-touch provisioning allows the edge to configure its connection to the WAN using the available mix of services at each location. This means that new sites can be brought on quickly with a single or dual Internet service or 4G/LTE. SD-WAN offers many desirable features, but on its own, it’s not a full-fledged replacement for MPLS. In many cases, and especially for branch offices, an MPLS circuit is still needed to carry latency-sensitive traffic. Also, SD-WAN routers don’t address security needs. Enterprises need to extend their security architectures using edge firewalls or cloud security services, which adds to the cost and complexity of an SD-WAN deployment. Moreover, SD-WAN solutions weren’t designed with cloud resources and mobile users in mind. Vendors have since come up with ways – albeit inelegant – to route traffic to the cloud, but mobile users are left in the lurch with SD-WAN. SASE Extends SD-WAN as a Real Alternative to MPLS Cato Networks’ SASE solution addresses the shortcomings of pure SD-WAN to offer a genuine alternative to MPLS-based networking. SD-WAN is actually just one part of Cato’s network offering. SD-WAN appliances deliver important networking functionality while SASE goes further by converging SD-WAN with other network and security services to create a holistic WAN connectivity and security fabric. The Cato Cloud provides an SLA-backed global backbone of points of presence (PoPs) that form an affordable alternative to MPLS-based networking. This single, global network connects and secures all enterprise edges – sites, cloud resources, and mobile/remote users – without compromising on the cost savings, agility, or reach of the Internet or the predictability, reliability, and performance of MPLS. This SASE solution also builds security into the underlying cloud-native architecture to eliminate the need for a patchwork of security appliances. SASE is a truly transformational approach to the WAN. By combining SD-WAN and other networking functionality with advanced security features, SASE can legitimately address most WAN network and security requirements at scale, and certainly, be a legitimate replacement for an MPLS-based network. Learn More Cato purpose-built the world’s first true SASE platform and has been recognized as a leader in the space. If you’d like to learn more about what SASE can do for your enterprise, please contact us today, sign up for a demo, or download our “How to Migrate from MPLS to SD-WAN” eBook.

50,000 Fortinet VPNs Breached Via Vulnerability Fixed 18 Months Ago. Here’s What You Can Do.

Last week (25 November 2020) reminded us once again of the importance and challenge of that real-world problem — patching. it was reported `that a... Read ›
50,000 Fortinet VPNs Breached Via Vulnerability Fixed 18 Months Ago. Here’s What You Can Do. Last week (25 November 2020) reminded us once again of the importance and challenge of that real-world problem — patching. it was reported `that a hacker had leaked the credentials for 50,000 Fortinet VPNs. The victims include high street banks, telecoms, and government organizations from around the world. The stolen data includes usernames, passwords, access level (such as 'full access'), and the original unmasked IP address of the user connected to the VPN. The data is spreading across the Dark Web. The vulnerability exploited to obtain the data is CVE-2018-13379, a path traversal vulnerability in the FortiOS SSL VPN web portal that can allow an unauthenticated attacker to download files through specially crafted HTTP resource requests. This is not its first known exploitation. Back in July 2020, the UK's National Cyber Security Center (NCSC) and Canada's Communications Establishment (CSE) published information on the use of this vulnerability by APT29 -- also known as 'Cozy Bear', and believed to be a Russian state-backed group involved in hacking the DNC prior to the 2016 U.S. elections. In this instance, the target via the Fortinet VPNs was thought to be information about COVID-19 vaccines. In October 2020 the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also warned that the Russian state-backed hacking group often known as Energetic Bear used the same vulnerability in attacks against the networks of various U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks -- ahead of the 2020 elections. None of this should have been possible. Fortinet patched the vulnerability back in Spring 2019 -- well over a year before these incidents. After the latest incidents, Fortinet told Bleeping Computer, "In May 2019 Fortinet issued a PSIRT advisory regarding an SSL vulnerability that was resolved, and have also communicated directly with customers and again via corporate blog posts in August 2019 and July 2020 strongly recommending an upgrade." Patching. That’s the Real Problem So, the real problem here is a patch problem. Fortinet VPN users -- thousands of major corporations and government entities -- simply failed to patch a critical vulnerability despite repeated warnings. The need for a robust patching regime has been known and urged for decades. But still companies fail to patch their systems efficiently or sufficiently. The result can be disastrous. The infamous Equifax breach of 2017 was ultimately a failure in patching. The ultimate cost to Equifax could be several billion dollars, combining settlements to affected users (potentially up to $2 billion) and a further $1 billion for agreed security upgrades. There are many other examples of costly breaches caused by a failure to patch. The basic problem remains -- organizations find patching very difficult, and this same issue of unpatched systems being compromised will continue. According to a Ponemon/ServiceNow report in October 2019, 60% of breach victims were breached due to an unpatched known vulnerability where the patch was not applied 62% were unaware that their organizations were vulnerable prior to the data breach 52% of respondents say their organizations are at a disadvantage in responding to vulnerabilities because they use manual processes. There are many reasons for companies' failure to patch. Not enough staff. Insufficient resources to adequately test the possible downstream effect of patches. And connections to operational technology, where the inbred philosophy is not to touch something that is currently working. Indeed, Dark Reading has stated that nearly three-fourths of organizations worry that software updates and patches could 'break' their systems when applied. Then there are the usual challenges of any downtime, legacy system patching, and compatibilities with existing applications and operating systems. Patching Doesn’t Have to Be A Problem But there is a solution to the patch problem that is simple and effective and not dependent on in-house resources -- the use of firewall as a service (FWaaS), such as what’s provided into Cato’s SASE platform. Without the cloud, security must be installed appliance by appliance in location by location. It is incumbent on the overworked and under resourced security or IT team to update and manage those appliances; this is where patching fails. Cloud services, however, do not rely on their users' own staff resources. Whenever Cato becomes aware of a new fix or patch, we automatically pushed it out to all our customers. Cloud service users receive a robust patch regime without having to worry about patching and a repeat of the Fortinet VPN incidents and the Equifax patch failure.

How Cato Cloud Resiliency Overcomes Regional and National Outages

Just a day before Thanksgiving, an AWS cloud outage struck down large parts of the Internet for multiple hours, impacting major apps, websites, and services... Read ›
How Cato Cloud Resiliency Overcomes Regional and National Outages Just a day before Thanksgiving, an AWS cloud outage struck down large parts of the Internet for multiple hours, impacting major apps, websites, and services worldwide like Autodesk, Roku, and Shipt. Although only 1 of 23 AWS geographic regions (US-East-1) experienced issues at the time, the global echo was significant for any company dependent on AWS cloud services. It’s incredibly important to look “under the covers” of all cloud-based offerings, especially those claiming to be SASE services. Simply spinning up a virtual appliance in the cloud or hosting physical appliances and calling it a “cloud-based service” is a far cry from providing an enterprise-grade service that’s designed to work 24x7x365. What happens when the appliance fails? How does the cloud-hosted appliance deal with failures in the cloud provider’s infrastructure? If SASE is to become the networking and security solution, it must be enterprise-grade. This is very much a case where architecture matters. Cato Cloud: A Self-Healing Architecture Cato has spent years developing a cloud-native, self-healing platform that can recover from failures at all levels of its architecture. Today, Cato runs a stateless, single-pass cloud-native engine that handles the routing, optimizing, and securing of all WAN and Internet traffic. Processing is distributed across a cloud-scale, global network of points of presence (PoPs). The controller functionality is a smart, distributed data plane at the processing engine level, not a single controller, eliminating a potential single point of failure. With most processing in the cloud, edge devices and clients accessing Cato are radically simplified, further reducing the likelihood of edge outages. Every Cato Cloud tunnel and resource has automated failover capabilities inside the PoP, across PoPs, and the entire cloud for a fully self-healing architecture. Self-Healing of the Cloud Network Rather than the unpredictable global Internet, Cato Cloud is built on our global private backbone. It’s a global, geographically distributed, SLA-backed network of 60+ PoPs, interconnected by multiple tier-1 carriers. This cloud network is engineered to deliver predictable transport with zero packet loss, minimum latency, and global optimization for maximum performance. Self-Healing Between PoPs Upon a failure or degradation in a tier-1 carrier connecting to a Cato PoP, any PoP can automatically switch to an alternate tier-1 carrier in the global backbone to maintain Internet access. If needed, PoPs will connect to the nearest Internet Exchange (IX) for enhanced redundancy. If any global POP becomes unreachable or disrupted due to maintenance, all tunnels connected to the PoP automatically move to the nearest available PoP. Special rules for failover, regulations, and more are included in the automatic decision-making for tradeoffs. IP ranges associated with failed PoPs are also moved to ensure service continuity. Self-Healing Within PoPs All Cato’s PoPs contain redundant servers, each running identical copies of Cato’s software. These compute nodes are available as needed to serve any edge tunnel connected to that PoP. Each compute node can serve any edge tunnel connected to the PoP. If a compute node fails, the disconnected tunnels will reconnect to an available compute node inside the PoP, as it remains the closest PoP to the disconnected edges. In most cases, user sessions will not be affected. Overall Self-Healing And in the unlikely event of total Cato Cloud loss, Cato Sockets can establish direct connectivity to enable branch and Internet connectivity using the public Internet without security or backbone. Self-Healing at the Edge Locations Cato edge appliances are thin edge SD-WAN devices with sufficient logic to move traffic into Cato Cloud for networking and security processing. The thin-edge design makes redundant devices affordable. Cato also provides Sockets with redundant components. Several high availability branch (HA) design options are available: Affordable cold spares with automatic provisioning in the cloud, Warm standby for automatic take over as part of self-healing architecture, and Transport overlay across multiple last-mile transports in either active/passive or active/active configurations. Sites automatically reconnect to the optimum PoP upon any outage or degradation. In addition, if the Cato Cloud is temporarily unreachable for any reason, branches communicate directly with one another, automatically reconnecting back to the Cato cloud upon availability. Remote Users The same seamless HA is available for remote users. If a remote user’s device loses tunnel connectivity or the user roams, Cato Clients automatically reconnect to the nearest PoP with dynamic tunnel failover inside a PoP or dynamic tunnel failover across PoPs to continue all services. Built-in Self-Healing for Peace of Mind As the recent AWS outage reminds us, the public cloud, for all its uptime, alone does not guarantee uptime. In today’s cloud-first digital world, fragmented networking point solutions add HA complexity and cost. With Cato’s self-healing architecture, all failure detection, failover, and fallback are automatic, with no need to manually update networking, security, or optimization policies. Cato’s cloud-native, SASE platform enables global enterprises to meet or even surpass uptime requirements with the best mix of cost, resilience, and enterprise-grade redundancy superior to the unpredictable public Internet and more affordable than global MPLS and other legacy backbones. Read more about how Cato helps global and regional enterprises in digital transformation

Top 15 Network Security Websites

Network security covers many different areas, including access control, cloud security, malware protection, BYOD security, remote workforce, and web security. The modern digital business of... Read ›
Top 15 Network Security Websites Network security covers many different areas, including access control, cloud security, malware protection, BYOD security, remote workforce, and web security. The modern digital business of any size, industry, or location needs to keep up with all these responsibilities to maintain a strong security posture. So we gathered a list of 15 websites (listed alphabetically) to help you stay informed with the latest trends and innovations in the network security arena. 1. CIS CIS is a forward-thinking nonprofit with a mission “to make the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats.” The resources section offers a wide range of materials including whitepapers, blogs, and webinars. A recent blog post provides cyber defense tips for staying secure both in the office and at home. 2. Dark Reading Dark Reading is one of the most respected online magazines for security professionals, offering both news and in-depth opinion pieces on the latest developments within the industry. It has some excellent articles, offering the latest information in cybersecurity management to keep you in-the-know. 3. Data Breach Today Data Breach Today offers a wealth of information on security, from training and compliance guides to industry events and latest news. There’s an extensive section on network and perimeter security issues, including webinars and whitepapers. One interesting webinar looks at how enterprises are investing in bug bounty competitions to find network vulnerabilities. 4. Hackaday Not a network security blog per se, Hackaday nonetheless deserves a special mention. This cheeky website is all about the community built around the idea of hacking, which is defined as “an art form that uses something in a way in which it was not originally intended”. The website gathers hacking stories that are primarily intended for entertainment. [boxlink link="https://go.catonetworks.com/First-100-Days-as-CIO-5-Steps-to-Success.html?utm_source=blog&utm_medium=blog_top_cta&utm_campaign=cio_ebook"] Download eBook – First 100 Days as CIO [/boxlink] 5. Help Net Security  Help Net Security covers technical security challenges and management concerns. Contributors include an impressive roster of industry leaders, who discuss everything from cultivating a sustainable workforce during COVID-19 to tech trends and risks shaping organizations’ data protection strategy. Make sure to check out the whitepaper archives for more in-depth content. 6. IDG IDG is a worldwide leading tech media company with a community of the most influential technology and security executives. Some of IDG’s premium brands include CIO®, Computerworld®, CSO®, and Network World®. A great visual summary of IT response, six months into the pandemic, is available here. 7. Infosec Infosec has been fighting cybercrime since 2004, offering the most advanced and comprehensive education and training platforms. Infosec is recognized as a security awareness and training leader by both Gartner and Forrester. Some of their helpful resources include topics like General Security, Wireless Security, and Threat Hunting. 8. Infosecurity Magazine Infosecurity Magazine is the go-to resource for the latest news on all subjects related to information security. It has over ten years of experience providing knowledge and insights, focusing on hot topics and trends, in-depth news analysis, and opinion columns from industry experts. Check out the Network Security section, which includes topics such as access rights management, endpoint security, firewalls, intrusion prevention/detection, and more. 9. Sans Institute  Established in 1989, Sans Institute specializes in information security, cybersecurity training, and certification in over 90 cities across the globe. Their website includes a large repository of materials on network security. They offer an interesting course, which gives an in-depth look at intrusion detection and provides whitepapers on network security. 10. SC Media SC Media has been sharing industry expert guidance and insight, in-depth features and timely news, and independent product reviews for 30 years. The magazine also runs annual awards for organizations that apply innovative solutions to security issues. Check out the resource library for featured assets and reports. 11. Security Magazine Security Magazine looks at network security issues from the point of view of C-level management. The column Security Talk offers insights into the issues C-level executives face today. A recent publication discusses the cybersecurity threats that require security leaders to ensure constant control enforcement across newly expanded footprints. 12. TechRepublic TechRepublic is a great source for breaking IT news, best practices, advice, and how-tos delivered by a global team of tech journalists, industry analysts, and real-world IT professionals. A recent article reviews the five, must-know, emerging tech terms from Gartner's 25th Hype Cycle report. 13. The Hacker News Established in 2010, The Hacker News is a dedicated cybersecurity and hacking news platform that attracts over 8 million readers. It’s considered one of the most significant information security channels for topics such as data breaches, cyber attacks, vulnerabilities, and malware. It includes a rich Security Research Library and featured articles on industry innovations, such as “Gartner Says the Future of Network Security Lies with SASE” and product reviews on secure remote access (ZTNA/SDP), managed threat detection and response (MDR), and lots more. 14. The Register The Register is a leading, reliable global online enterprise technology news publication, reaching ~40 million readers worldwide. Known for its opinionated and sometimes controversial opinion pieces, The Register offers networking professionals a valuable collection of interesting content written by industry peers. The website includes a prominent section on security. 15. Threatpost Threatpost is an independent leading news site for IT and business security, covering topics like vulnerabilities, malware and cloud security. Threatposts’s award-winning editorial team provides a rich selection of content, including podcasts, featured articles, videos, and slide shows, alongside expert commentary on breaking industry news. Can you think of any other resource that should be on this list? Follow us on LinkedIn, Facebook, or  Twitter , and let us know! Also, as someone who is interested in network security, make sure you learn about SASE, if you haven't already. *This blog was updated and republished in November 2020  

SASE: It’s the iPhone of Networking

When the Apple iPhone hit the market in 2007, it was described as “revolutionary.” The monumental success of the iPhone – and countless imitators from... Read ›
SASE: It’s the iPhone of Networking When the Apple iPhone hit the market in 2007, it was described as "revolutionary." The monumental success of the iPhone – and countless imitators from other smartphone vendors – has proven the term to be correct. But why? What’s the big innovation of the smartphone? After all, the components in a smartphone predated this type of device by years. We had our PDAs for our contact lists and appointments, digital cameras to take photos, mobile phones to place calls, handheld GPS to find our way to places, and portable media players for music. The innovation of the smartphone was, of course, that it converged all these functions (and more) together. Convergence. That is the innovation of SASE. When Gartner defined the market for the Secure Access Service Edge (SASE) last year, we had already seen all its networking and security functions on the market. We already had firewalls and UTMs. We had mobile access solutions. We had SD-WAN and networking. But we had them as separate solutions coming from different vendors, which made their deployment quite complex. What’s more, with the functions being separate components, taking advantage of capabilities across the functions required heavy integration and multi-vendor coordination. Like the smartphone, SASE’s first innovation is that it brought all those disparate components together into one converged and convenient platform. This makes deployment and delivery much simpler. Convergence Is More Than Convenience Packaging multiple functions into a smartphone did more than save pocket space. It created a platform that could be used for unlimited applications. Sensors and software and other capabilities all built into the smartphone resulted in several benefits. First, things work together seamlessly, so no integration is needed. Second, app developers don’t have to create functions for themselves because they can simply use what the platform already offers. But most importantly, a robust platform with lots of capabilities is a force multiplier to spur even more innovation and new kinds of solutions that might otherwise be impractical or even impossible to build. For example, the language translation app Google Translate builds on some of the inherent features of the smartphone in a very innovative way. This app delivers a language conversion engine that lets you translate a sign written in a foreign language in real-time. It uses the smartphone’s camera to capture an image of the sign, embedded OCR to convert the image into text, and then Google’s own language engine to translate the foreign text to the target language. Google used some of the capabilities of the smartphone, coupled with its own technology, to create a unique and high value application. Delivery of Google Translate’s capabilities wouldn’t be possible without convergence of functions on the device. A SASE Platform Enables Capabilities that Were Previously Impractical, If Not Impossible The same is true of SASE. Pulling together all networking and security functions into a single, coherent platform does more than make deployment simpler. It allows for combining data and capabilities in different ways to develop new solutions that otherwise might have been impossible to deliver. Let’s explore some examples of the benefits of convergence in the Cato SASE platform: ZTNA and Remote Access -VPNs have traditionally been the dominant point solution to provide remote access to a network. However, VPNs bring risk to an enterprise due to the lack of granular control over network access. Software-defined perimeter (SDP), also called Zero Trust Network Access (ZTNA), enables tighter overall network security for remote access users. SASE converges ZTNA, NGFW, and other security services along with network services such as SD-WAN, WAN optimization, and bandwidth aggregation into a cloud-native platform. Enterprises that leverage Cato’s SASE architecture receive the benefits of ZTNA along with a full suite of converged network and security solutions that is both simple to manage and highly scalable. High-Performance FWaaS - Firewall as a service is a multifunction security gateway delivered as a cloud-based service. It is often intended to protect mobile users and small branch offices that have no dependency on the central datacenter for applications. Standalone FWaaS offerings often incur poor site-to-site performance because of their few PoPs and dependency on the unpredictable, global Internet. With integrated FWaaS, Cato’s SASE architecture, though, addresses these shortcomings to deliver high-performance FWaaS. Threat Prevention - The Cato SASE platform detects and prevents threats not only based on signatures and security feeds but also on network characteristics. This latter information wouldn’t be available if Cato’s security services had been built on a security-only platform. Instead, Cato captures the network metadata of all flows from all users at all customers in massive data warehouse and enriched with threat-intelligence feeds and other security-specific information. Data aggregation and machine learning algorithms mine the full network context of this vast data warehouse over time, detecting indicators of anomalous activity and evasive malware across all customer networks. It's the kind of context that can't be gleaned from looking at networking or security domains distinctively, or by examining just one organization's network. It requires a converged solution like Cato, examining all traffic flows from all customers in real-time. Event Correlation - Last year, Cato introduced SIEM capabilities called Instant*Insight, offered with the Cato platform at no added cost to customers. Instant*Insight organizes the millions of networking and security events tracked by Cato into a “queryable” timeline through a single-pane-of-glass. This service tracks issues for all sites, mobile users, and cloud resources. IT teams can quickly drill down into and correlate these events to arrive at the root cause of issues. For years, organizations have looked for such a platform but delivering it was impractical before SASE convergence. Network appliances typically share log data – not raw event data – with SIEMs. Even then the right APIs need to be written, the data needs to be normalized, and only then can it be stored in a common datastore. It’s a massive undertaking when networking and security are separate functions. But Cato was able to develop Instant*Insight in a matter of months precisely because we were able to leverage the power of convergence. The data has already been gathered and the base tool sets were available. In short, a true SASE platform does more than make deployment easier. It converges capabilities together to form a platform that provides the basis of new capabilities. Integration can’t give you that—only smartphone-like convergence can.

Rethinking Enterprise VPN Solutions: Designing Scalable VPN Connectivity

The global pandemic has forced many organizations around the world to send their workers home to support social distancing mandates. The process happened suddenly –... Read ›
Rethinking Enterprise VPN Solutions: Designing Scalable VPN Connectivity The global pandemic has forced many organizations around the world to send their workers home to support social distancing mandates. The process happened suddenly – almost overnight – giving companies little time to prepare for so many people to work remotely. To keep business functioning as best as possible, enterprises need to provide secure remote connectivity to the corporate network and cloud-based resources for their remote workers. Many companies turned to their existing VPN infrastructure, beefing up the terminating appliances in the datacenter with additional capacity to support hundreds or thousands of new work from home (WFH) users. In the early days of Coronavirus lockdowns, some countries saw a surge in VPN use that more than doubled the typical pre-pandemic demand. However, VPN infrastructure isn’t designed to support an entire workforce. As organizations contemplate an extended or even permanent switch to WFH, investing in a secure, scalable connectivity solution is essential. Enterprise VPN Solutions are Not Designed for Distributed Workforces VPNs are designed for point-to-point connectivity. Each secure connection between two points requires its own VPN link for routing traffic over an existing path. For people working from home, this path is going to be the public Internet. The VPN software creates a virtual private tunnel over which the user’s traffic goes from Point A (e.g., the home office or a remote work location) to Point B (usually a terminating appliance in a corporate datacenter). Each terminating appliance has a finite capacity for simultaneous users. VPN visibility is limited when companies deploy multiple disparate appliances. Pre-pandemic, many organizations had sufficient VPN capacity to support between 10 and 20 percent of their workforce as short-duration remote users at any given time. This supported employees temporarily working from hotels and customer sites as well as from their homes. Once the pandemic restrictions forced people to isolate at home, companies saw their VPN usage shoot up to as much as 50 to 70 percent of the workforce. It was a real challenge to quickly scale capacity because the number of required VPN links for continuous connectivity scales exponentially with the number of remote sites. Security is a considerable concern when VPNs are used. While the tunnel itself is encrypted, the traffic traveling within that tunnel is not inspected for malware or other threats. To maintain security, the traffic must be routed through a security stack at its terminus on the network. In addition to inefficient routing and increased network latency, this can result in having to purchase, deploy, monitor, and maintain security stacks at multiple sites to decentralize the security load. Simply put, providing security for VPN traffic is expensive and complex to manage. Another issue with VPNs is that they provide overly broad access to the entire network without the option of controlling granular user access to specific resources. There is no scrutiny of the security posture of the connecting device, which could allow malware to enter the network. What’s more, stolen VPN credentials have been implicated in several high-profile data breaches. By using legitimate credentials and connecting through a VPN, attackers were able to infiltrate and move freely through targeted company networks. Of further concern, VPNs themselves can harbor significant vulnerabilities, an issue we noted in a recent post. NIST’s Vulnerability Database has published over 100 new CVEs for VPNs since last January. Related content: read our blog on Moving Beyond Remote Access VPNs SASE Provides a Simpler, More Secure, Scalable Solution Compared to VPN Solutions In mid-2019, Gartner introduced a new cloud-native architectural framework to deliver secure global connectivity to all locations and users. Gartner analysts named this architecture the Secure Access Service Edge (or SASE). Cato Networks is recognized as offering the world’s first global SASE platform. Cato’s SASE platform is built as the core network and security infrastructure of the business, and not just as a remote access solution. It offers unprecedented levels of scalability, availability, and performance to all enterprise resources. It so happens that SASE is an ideal VPN alternative. SASE offers scalable access, optimized connectivity, and integrated threat prevention that are needed to support continuous large-scale remote access. There are several ways that Cato’s SASE platform outperforms a traditional VPN solution. First, the SASE service seamlessly scales to support any number of end-users globally. There is no need to set up regional hubs or VPN concentrators. The SASE service is built on top of dozens of globally distributed Points of Presence (PoPs) to deliver a wide range of security and networking services, including remote access, close to all locations and users. Second, availability is inherently designed into Cato’s SASE service. Each resource – a location, a user, or a cloud – establishes a tunnel to the nearest SASE PoP. Each PoP is built from multiple redundant compute nodes for local resiliency, and multiple regional PoPs dynamically back up one another. The SASE tunnel management system automatically seeks an available PoP to deliver continuous service, so the customer doesn’t have to worry about high availability design and redundancy planning. Third, SASE PoPs are interconnected with a private backbone and closely peer with cloud providers, to ensure optimal routing from each edge to each application. This is in contrast with the use of the public Internet to connect to users to the corporate network. Fourth, since all traffic passes through a full network security stack built into the SASE service, multi-factor authentication, full access control, and threat prevention are applied. Because the SASE service is globally distributed, SASE avoids the trombone effect associated with forcing traffic to specific security choke points on the network. All processing is done within the PoP closest to the users while enforcing all corporate network and security policies. And lastly, Cato’s SASE platform employs Zero Trust Network Architecture in granting users access to the specific resources and applications they need to use. This granular-level is part of the identity-driven approach to network access that SASE demands. SASE is Well-Suited to Remote Work Enterprises that enable WFH using the Cato Networks SASE platform can scale quickly to any number of remote users without worry. The complexity of scaling is all hidden in the Cato-provided PoPs, so there is no infrastructure for the organization to purchase, configure or deploy. Giving end users remote access is as simple as installing a client agent on the user’s device, or by providing clientless access to specific applications via a secure browser. Security is decentralized, located at the PoPs, which reduces the load on infrastructure in the company’s datacenter. Routing and security are integrated at this network edge. Thus, security administrators can choose to inspect business traffic and ignore personal traffic at the PoP. Moreover, traffic can be routed directly and securely to cloud infrastructure from the PoP instead of forcing it to a central datacenter first. Further, admins have consistent visibility and control of all traffic throughout the enterprise WAN. WFH Employees Have Secure and Productive Access to the Corporate Network While some workers are venturing back to their offices, many more are still working from home—and may work from home permanently. The Cato SASE platform is the ideal way to give them access to their usual network environment without forcing them to go through insecure and inconvenient VPNs.

Why SASE Must Support ALL Edges, ALL Traffic, and ALL Applications

As SASE becomes more widely adopted in the industry, there are wide discrepancies in the use of the term. In its August 2019 report, The... Read ›
Why SASE Must Support ALL Edges, ALL Traffic, and ALL Applications As SASE becomes more widely adopted in the industry, there are wide discrepancies in the use of the term. In its August 2019 report, The Future of Network Security Is in the Cloud, Gartner saw SASE (Secure Access Service Edge) as creating a single network for the complete enterprise, connecting and securing all edges everywhere. Of late, though, some network providers want to selectively deliver only part of those capabilities, such as only providing secure access to the Internet. It’s really “sleight of marketing” to call implementing select capabilities “SASE,” as this doesn’t meet Gartner’s original definition of the term [bold emphasis added]: The secure access service edge is an emerging offering combining comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS and ZTNA) to support the dynamic secure access needs of digital enterprises. SASE capabilities are delivered as a service based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions. Identities of entities can be associated with people, groups of people (branch offices), devices, applications, services, IoT systems or edge computing locations. In further describing SASE, the Gartner analysts wrote: What security and risk professionals in a digital enterprise need is a worldwide fabric/mesh of network and network security capabilities that can be applied when and where needed to connect entities to the networked capabilities they need access to. In short, SASE is meant to be one holistic platform for the complete network, covering all edges, all traffic, and all applications, i.e., the “entities” in the definition above. The Legacy Network Can’t Be Overlooked This complete network includes an enterprise’s legacy network. While enterprises are moving many applications and workloads to the cloud, as well as embracing mobility, there continues to be legacy infrastructure that still performs important functions. Workers in branch offices still need to access files in private datacenters. People in sales offices still need to use legacy applications left in private datacenters that are too sensitive or simply unsuitable to be moved to the cloud. Both scenarios, and many others, continue to require predictable, low-latency network performance between locations. To deliver on those expectations, you’re going to need the right networking features. These include the route optimization to calculate the best path for each packet, the QoS in the last mile, and the dynamic path selection to move traffic to the optimum path. The global Internet is too unpredictable with too much latency to deliver high performance connections day in and day out. You’ll need the lower latency of a global private backbone and a fix for packet loss. Basically, it’s all the “networking stuff” that we take for granted today when building an enterprise WAN. Site-to-Site Security a Must And when traffic is sent between sites, it must be secured. It means ensuring that NGFW is in place to restrict access to resources, that anti-malware is used to prevent the lateral movement of malware across the organization, that DLP ensures that data isn’t being syphoned off in a breach. Relying on separate products to address site-to-site traffic means that enterprises have to face the challenges of a multiplicity of systems (and maybe even vendors). IT ends up juggling multiple management consoles, each populated with siloed information, which makes operations more much more challenging. Visibility into the network is fragmented as data collection is spread across two (or more) solutions. And because visibility is obscured, so is the ability to detect trends spanning site-to-site and Internet communications. For example, malicious content may bypass detection and be downloaded from the Internet. The malware might exfiltrate data to its C&C server or infect other WAN-based resources, such a file server. Such an approach might be missed if you weren’t looking at the networking and security domains for both Internet-based communications and site-to-site traffic. SASE Sees It All SASE spans all edges, applications, and traffic flows. Only a true SASE architecture has complete visibility and control over both network and security because they are converged into a single software stack. As noted in the recent Hype Cycle report, “True SASE services are cloud-native — dynamically scalable, globally accessible, typically microservices-based and multitenant.” Thus, data flows are inspected one time (called a single-pass architecture) to determine networking and security needs. For example, which way to steer the packets, how to prioritize data flows, how to impose security policies, whether there is malware present, etc. Because all such evaluations are done in a single pass of the traffic – where the data flow is decrypted once, inspected, then re-encrypted – performance is truly enhanced. Contrast this to networks with separate security appliances or web services, which require the traffic to be decrypted, inspected and re-encrypted multiple times. This adds unnecessary latency to the network. It’s called “stitching together” a SASE-like solution, but hardly True SASE.

Why I Hate Multivendor SASE

Of late, there’s talk about using multiple vendors to deliver a SASE solution. One would provide the SD-WAN and security, another the global private backbone,... Read ›
Why I Hate Multivendor SASE Of late, there’s talk about using multiple vendors to deliver a SASE solution. One would provide the SD-WAN and security, another the global private backbone, and perhaps a third-will deliver remote access. But is that what SASE is all about? As the article points out, Gartner analysts defined SASE as a single, vendor cloud-native platform. In their August 2019 report “The Future of Network Security Is in the Cloud,” they wrote: “This market converges network (for example, software-defined WAN [SD-WAN]) and network security services (such as SWG, CASB and firewall as a service [FWaaS]). We refer to it as the secure access service edge and it is primarily delivered as a cloud-based service.” In Gartner’s Hype Cycle for Network Security, 2020, the analyst firm does give a nod to “dual vendor deployments that have deep cross-vendor integration” as a form of SASE. However, I would argue that an “integrated” solution still has its faults. The keyword in the original description of SASE is “converges.” There’s a difference between convergence and integration. Convergence conveys that network and security have been brought together onto one platform best developed by a single provider, whereas integration conveys that multiple services or appliances from two or more suppliers are tied together through APIs or other means. Gartner calls this integrated approach a “SASE alternative” that approximates the offerings of a true SASE solution. The industry is more broadly calling it “multivendor SASE,” a solution in which customers stitch together networking and security functions from different vendors through integration. SASE Was Defined to Address All of an Enterprise’s Requirements As pointed out in the report, traditional enterprise network design, where the enterprise datacenter is the focal point for access, is increasingly ineffective and cumbersome in a world of cloud and mobile. Backhauling branch and mobile traffic for inspection no longer makes sense when most traffic needs to go directly to the cloud. Secure access services need to be everywhere. By spanning all edges, applications, and traffic flows, SASE provides: Support for existing east-west traffic (such as WAN, site-to-site, VoIP, RDP, to on-premise apps, etc.), which is still present and will be for some time, and Support for both current and future traffic flows with full optimization and security. Pulling together all networking and security functions into a single, coherent platform does more than make deployment simpler. With all traffic consolidated into one converged platform, SASE provides complete visibility that enhances security and control. How Multivendor SASE Falls Short Multivendor SASE, which involves taking components from various vendors and integrating them together, falls short of a truly converged solution in several ways. First is the challenge of deploying multiple devices, especially if the security stack is repeated in each branch. That’s a lot of appliances to deploy, configure and maintain. Next is the major effort to integrate the different services and devices into a somewhat cohesive solution. The main solution provider – maybe an MSP or a telco – will take care of much of the integration, but some effort might still be on the customer’s plate. Integration is a daunting task, as the separate pieces are likely to be on different development or update cycles. Each time a patch is applied or an OS is updated, testing is needed to ensure there are no problems with the APIs or other aspects of the integration. This cycle of “update and test” adds time and cost to the solution each time one of the components changes. Network and security management can be a challenge in a multivendor SASE solution. When there are distinct devices from different vendors, they each run their own management consoles and store data in separate formats and places. Perhaps one dominant management console is chosen to present the relevant data. However, important detail data from the individual services or devices might not be made available through that console. Moreover, alerting may be less efficient, as separate tools each want to provide their own alerts. Even if a SIEM is present to correlate the alerts, significant work is required to tune and maintain the SIEM’s correlation engine. With the security stack being separate from the network, there is a loss of, call it data fidelity, where network security is concerned. The security tools are working from logs and not actual network flows, and so they aren’t seeing everything in full context and thus might miss indications of threats. The Advantages of Converged, Single Vendor SASE When all networking and security components converged into one platform, great synergies can be achieved. All traffic on the network needs to be inspected by various devices to know how to treat that traffic. The WAN needs to know how to route the traffic. The firewall needs to know how to process the traffic based on numerous policies. Different security devices need to know if the traffic harbors threats, or if sensitive data is being exfiltrated. Each of these functions need to inspect traffic that is not encrypted. With Cato, the network and security are converged, so the traffic can be decrypted one time, inspected by all necessary functions, and then re-encrypted. Contrast this to a multivendor SASE that decrypts/re-encrypts traffic multiple times as it passes through each individual service or device. The converged SASE approach is much more efficient and doesn’t impact overall performance. Having network and security all on one platform, in the same data flow, has the advantage of deep visibility when it comes to threat detection. The security inspection tools see everything on the network, not just logs. This provides deep and broad context – in Cato’s case, the context of all customers, not just one – to understand everything that is happening on the network and catch threats earlier in the kill chain. As for integration, there is none. Cato’s entire SASE code base is one stack. It allows us to be very agile when it comes to updates, enhancements, and introducing new features. We don’t depend on third parties’ development lifecycles as a multivendor SASE solution must do. Multivendor SASE Isn’t SASE At All—It’s Merely an Alternative When it comes down to it, what the industry is calling “multivendor SASE” isn’t really SASE at all. It’s simply a way to allow traditional network or security vendors to bolt onto their current solutions to provide services that are similar but far short of true SASE.

What is Zero Trust Architecture?

Zero trust has become one of the hottest buzzwords in network security. However, with all the hype, it can become difficult to separate the marketing... Read ›
What is Zero Trust Architecture? Zero trust has become one of the hottest buzzwords in network security. However, with all the hype, it can become difficult to separate the marketing fluff from the real value. Fortunately, unlike many buzzwords, there is plenty of substance around zero trust. So, what exactly is the substance behind zero trust and how can you identify solutions that meet your enterprise’s needs? Let’s take a look. What is Zero Trust Architecture? A crash course In simple terms, zero trust is based on these principles: apply granular access controls and do not trust any endpoints unless they are explicitly granted access to a given resource. Zero Trust Architecture is simply a network design that implements zero trust principles. Zero Trust Architecture represents a fundamental shift from traditional castle-and-moat solutions such as Internet-based VPN appliances for remote network access. With those traditional solutions, once an endpoint authenticates, they have access to everything on the same network segment and are only potentially blocked by application-level security. In other words, traditional solutions trusted everything on the internal network by default. Unfortunately, that model doesn’t hold up well for the modern digital business. The reason zero trust has become necessary is enterprise networks have changed drastically over the last decade, and even more so over the last six months. Remote work is now the norm, critical data flows to and from multiple public clouds, Bring Your Own Device (BYOD) is common practice, and WAN perimeters are more dynamic than ever. This means enterprise networks that have a broader attack surface are strongly incentivized to both prevent breaches and limit dwell time and lateral movement in the event a breach occurs. Zero Trust Architecture enables micro-segmentation and the creation of micro-perimeters around devices to achieve these goals. How Zero Trust Architecture works While the specific tools used to implement Zero Trust Architecture may vary, the National Cybersecurity Center of Excellence’s ‘Implementing a Zero Trust Architecture’ project calls out four key functions: Identify. Involves inventory and categorization of systems, software, and other resources. Enables baselines to be set for anomaly detection. Protect. Involves the handling of authentication and authorization. The protect function covers the verification and configuration of the resource identities zero trust is based upon as well as integrity checking for software, firmware, and hardware. Detect. The detect function deals with identifying anomalies and other network events. The key here is continuous real-time monitoring to proactively detect potential threats. Respond. This function handles the containment and mitigation of threats once they are detected. Zero Trust Architecture couples these functions with granular application-level access policies set to default-deny. The result is a workflow that looks something like this in practice: Users authenticate using MFA (multi-factor authentication) over a secure channel Access is granted to specific applications and network resources based upon the user’s identity The session is continuously monitored for anomalies or malicious activity Threat response occurs in real-time when potentially malicious activity is detected The same general model is applied to all users and resources within the enterprise, creating an environment where true micro-segmentation is possible. How SDP and SASE enable Zero Trust Architecture SDP (software-defined perimeter) which is also referred to as ZTNA (Zero Trust Network Access) is a software-defined approach to secure remote access. SDP is based on strong user authentication, application-level access rights, and continuous risk assessment throughout user sessions. With that description alone, it becomes easy to see how SDP makes it possible to implement Zero Trust Architecture. When SDP is part of a larger SASE (Secure Access Service Edge) platform, enterprises gain additional security and performance benefits as well. SDP with SASE eliminates the complexity of deploying appliances at each location and the unpredictability that comes from depending on the public Internet as a network backbone. Additionally, with SASE, advanced security features are baked-in to the underlying network infrastructure. In short, SDP as a part of SASE enables Zero Trust Architecture to reach its full potential. For example, the Cato SASE platform implements zero trust and delivers: Integrated client-based or clientless browser-based remote access Authentication via secure MFA Authorization based upon application-level access policies based on user identities DPI (deep packet inspection) and an intelligent anti-malware engine for continuous protection against threats Advanced security features such as NGFW (next-generation firewall), IPS (intrusion prevention system), and SWG (secure web gateway) Optimized end-to-end performance for on-premises and cloud resources A globally distributed cloud-scale platform accessible from all network edges A network backbone supported by 50+ PoPs (points of presence) and a 99.999% uptime SLA Interested in learning more about SDP, SASE, and Zero Trust Architecture? If you’d like to learn more about SDP, SASE, or Zero Trust Architecture, please contact us today or sign up to demo the Cato SASE platform. If you’d like to learn more about how to take a secure and modern approach to remote work for the enterprise, download our eBook Work from Anywhere for Everyone.

A Modern Approach to Enterprise Remote Access

Remote work has become the new normal as a result of the COVID-19 pandemic, and according to a survey by collaboration software provider Slack, most... Read ›
A Modern Approach to Enterprise Remote Access Remote work has become the new normal as a result of the COVID-19 pandemic, and according to a survey by collaboration software provider Slack, most knowledge workers believe remote-work-friendly policies will continue after the pandemic as well. At the same time this unprecedented shift to remote work is occurring, businesses are realizing traditional enterprise remote access solutions, like Internet-based VPN, often aren’t capable of addressing all the needs of large-scale work from home. As a result, user experience and productivity can suffer. That’s why many enterprises are turning to more modern and scalable remote access solutions like SDP (software-defined perimeter) and SASE (Secure Access Service Edge) that can deliver enterprise-grade performance and security at scale. But what exactly do enterprises need from a remote access solution and why are SDP solutions capable of meeting those needs better than traditional solutions? Let’s take a look. What businesses need from enterprise remote access solutions To remain productive when working from home, employees need access to the same data and applications they used in the office. Additionally, the importance of collaboration tools like Slack and Microsoft Teams increases dramatically. Enterprise IT needs to provide access to these resources, which are often scattered across the public cloud and corporate datacenters, in a way that allows employees to remain productive without sacrificing security. Therefore, enterprise remote access solutions need to: Deliver high quality user experience. When everyone is working from home, there is a direct relationship between network connectivity and productivity. If a user cannot attend a teleconference due to latency or business applications become unusable or inaccessible, productivity comes to a screeching halt. Simply put, the network cannot become a productivity bottleneck. Provide predictable and reliable performance. Predictable and reliable performance go hand-in-hand with user experience. Latency, packet loss, and network outages can all wreak havoc on remote workforce. This means enterprises need enterprise remote access solutions that are both reliable and fault tolerant. Provide enterprise-grade security. Remote work makes it even harder to address the challenges of enterprise network security. Endpoints are now effectively deployed at every employees’ home, expanding attack surfaces and adding to the risk posed by phishing attacks and malware. As a result, enterprises need remote access solutions that can enforce granular security policies, rapidly detect and mitigate threats, and reduce lateral movement in the event a breach occurs. Scale easily. Capacity constraints and network complexity can become major bottlenecks as a remote workforce scales. Enterprise remote access solutions need to be able to scale easily without adding significant complexity to the network. The problems with traditional enterprise remote access solutions Point solutions like Internet-based VPN aren’t entirely without a use case. For small-scale and affordable connectivity between a few sites, a point solution may be the right answer. However, the continuous use and scale of organization-wide work from home isn’t a use case that traditional point solutions can effectively address. Issues that enterprises using these solutions to enable large-scale remote work have encountered include: Latency and poor user experience. VPN servers have a limited amount of capacity, as more users connect, the server can become overworked and performance degradation occurs. As a result, user experience suffers. Unreliable performance. Point solutions that depend on the Internet are also subject to all the problems with Internet routing. When an enterprise remote access solution is entirely dependent on the Internet, that means unpredictable performance can become the norm. Lack of granular security controls. Generally, point solutions restrict access at the network-level. Once a user authenticates, they have network access to everything on the same subnet. This lack of granular security and visibility creates a significant risk and leaves gaps in network visibility. Difficult to scale. The client/server architecture of point solutions simply isn’t scalable. To increase capacity for a network based on point solutions, IT needs to either deploy new appliances or upgrade existing ones. Further, addressing security and performance optimization challenges requires additional appliances to be deployed and integrated, which increases network complexity. How SDP and SASE solves these issues SDP, also known as ZTNA (Zero Trust Network Access), is a software-defined approach to application access. It is based on three core functionalities: Strong user authentication Application-level access based on user profiles Continuous risk assessment during sessions This software-defined approach that enables delivers application-level security policies helps to address several of the security and scalability challenges enterprises face. While SDP alone is useful, when it is when used as a part of a broader SASE platform that enterprises derive the most value from an optimized and secure remote access solution. SASE includes WAN optimizations and network security functions like NGFW (next-generation firewall), and IPS (intrusion prevention system) that help eliminate the need for complex deployments with multiple appliances while improving security and performance. Further, because SASE is cloud-based, enterprises benefit from the hyper-scalability of the cloud in their remote access solution. For example, businesses that use Cato’s SASE platform benefit from an enterprise remote access solution that: Optimizes performance for all applications and improves user experience. Traffic is optimally routed over a global private backbone that eliminates the performance issues of VPN servers that depend on the Internet. Additionally, WAN optimizations increase throughput for use cases like video conferences and sharing large files. Further, with client-based or clientless access options and integrations for authentication services like Azure Active Directory, users benefit from a simple and secure SSO (single-sign-on) experience with MFA (multifactor authentication). Provides predictable performance and a 99.999% uptime SLA. Cato’s network backbone consists of over 50 PoPs (points of presence) across the globe and is backed by a 99.999% uptime SLA. This gives enterprises a level of performance reliability and fault tolerance point solutions cannot. Enforces granular security policies and continuously monitors for threats - SDP coupled with NGFW, IPS, and threat detection deliver enterprise-grade security in a single, easy-to-manage platform. Brings the scalability of the cloud to remote access. The cloud approach of SASE delivers scalability point solutions simply cannot match. The underlying appliances and infrastructure are abstracted away from the enterprise, reducing complexity and allowing IT to focus on core business functions. Interested in learning more about SDP, SASE, and enterprise remote access solutions? As we have seen, SDP and SASE provide a modern approach to enterprise remote access and enable digital businesses to effectively support large scale remote work. If you’d like to learn more about SDP, SASE, or enterprise remote access solutions, contact us today or download this Work from Anywhere for Everyone eBook. If you’d like to see the world’s first SASE platform in action, we invite you to sign up for a demo.

SASE Convergence or Integration? It’s Not the Same Thing

Networking and security used to be considered two distinct areas of information technology. Enterprises would build a network to meet their communication needs and then... Read ›
SASE Convergence or Integration? It’s Not the Same Thing Networking and security used to be considered two distinct areas of information technology. Enterprises would build a network to meet their communication needs and then bolt on security to protect data and devices. The widespread adoption of Gartner's secure access service edge (SASE) architecture all but debunked that notion, and today it's widely accepted that networking and security must come together. For Cato, of course, this is nothing new. We’ve always viewed networking and security as two sides of the same coin. The Cato software converges security and networking functions together and into one cloud-native platform. The same software running QoS and path selection of SD-WAN, WAN optimization, and other networking functions is also the same software doing security inspection and policy enforcement. But for those vendors rushing to join SASE, solution integration has become the answer. Using service chaining or some other method, vendors will connect their networking and security point solutions or with those of third parties. Such an approach, though, is fraught with problems. Deployment involves rolling out multiple appliances or solutions. IT is left juggling multiple management consoles, which complicates troubleshooting. The disparate policy frameworks remain another hurdle. Let's take a closer look at the differences between convergence and integration during the deployment, operation, and management phases of the network. Deployment Simplified Deployment of Secure SD-WAN Opening new offices become much simpler and quicker because convergence allows for the deployment of a very, thin edge. With most functionalities converged into the cloud, the connecting software or device can be very light, running as an SD-WAN device, a virtual appliance, or even a small piece of software, like a mobile client. All “edges” of the enterprise are interconnected by one, predictable global backbone. By contrast, integrating security and networking solutions, enterprises have to deploy and install separate solutions, such as SD-WAN and firewall appliances. Rolling out security appliances at all the branches is cumbersome and expensive—and sometimes even impossible. Additional solutions are needed for remote access and reliable, high-performance, global connectivity further complicating deployment (and fragmenting visibility, as we’ll discuss). Rapid Network Expansion Enabled by Software-only Deployment Convergence also enables providers to expand their network's geographic footprint very rapidly without compromising on the services offered at a location. There are no proprietary appliances to wait on, configure, and ship to a distant location. As such, within a few short years, Cato's network has surged to more than 50 PoPs worldwide, nearly doubling the coverage density of service providers twice its age. [caption id="attachment_11218" align="aligncenter" width="960"] With its cloud-native software platform, Cato has been able to rapidly expand its network, reaching 50+ PoPs in a few short years, the most of any independent, cloud-native backbone.[/caption] Operation Improved Performance with Single-pass Processing Having converged networking and security enables Cato to decrypt and inspect the packet once, performing all security and networking processing in parallel. As such, traffic, even encrypted traffic, can be inspected at wire speed regardless of the needed security policies or optimizations. Contrast this to networks with separate security appliances or web services, which require the traffic to be decrypted, inspected, and re-encrypted multiple times. It adds unnecessary latency to the network. Holistic Intelligence Deepens and Broadens Security Capabilities Once traffic enters the Cato PoP, Cato captures, stores and analyzes the network metadata of those packets. The metadata is further enriched with threat-intelligence feeds and other security-specific information. More than 1 TB of traffic metadata across hundreds of customer networks is captured every day. The metadata is stored in a cloud-scale, big data architecture. Data aggregation and machine learning algorithms mine the full network context of this vast data warehouse over time, detecting indicators of anomalous activity and evasive malware across all customer networks. It's the kind of context that can't be gleaned from looking at networking or security domains distinctively, or by examining just one organization's network. It requires a converged solution like Cato, examining all traffic flows from all customers in real-time. By contrast, with separate security and networking appliances, data is stored in different databases in different formats. The result is a fragmented view of the environment and then often only for one customer. Adding a SIEM doesn't help much because it's only processing logs and missing out on the raw metadata that provides such deep insight, particularly for security analytics. [caption id="attachment_11223" align="aligncenter" width="1200"] Cato Managed Detection and Response (MDR) Service[/caption] Management Converging Management Makes Network Planning More Accurate, Simplifies Routine Work, Eliminates Errors Convergence also makes network and security management simpler, more effective with less investment. The most obvious example is the management interface. From one platform, enterprises can monitor, report on, and manage their networking, remote access, and security infrastructure. Accounting for all traffic leads to a more accurate understanding of what’s happening on your network everywhere. Network planning becomes more accurate. Convergence also makes day-to-day interactions easier, more painless. The objects, such as users and sites, created in one domain, are available in the other, shortening configuration times and reducing the number of configuration errors. All too often it’s those errors that increase the attack surface and create the vulnerabilities attackers can exploit to penetrate an organization. [caption id="attachment_11220" align="aligncenter" width="1506"] From a single console, Cato customers can monitor and manage their sites (1), as well as remote users and security infrastructure (2). They have overall visibility (3) that can be drilled into at a click.[/caption] Visibility Shortens the Time to Resolve Problems Convergence also reduces troubleshooting times. Under the hood, all networking and security management data is already stored in a common database. As such, from one interface, IT can correlate network and security events to investigate a problem. It’s a powerful capability long sought after by IT best understood by looking at the alternative. Take, for example, the case where users across offices periodically complain about call quality. Once you’ve validated the UC/UCaaS system is in order, you start investigating the network. What might that look like? Well, for one, you'll check last-mile line quality at the user locations. The last-mile jitter and packet loss metrics lines may not be available for past events, though. You'll probably need to capture the data and wait till the next time the event occurs. But, for the purposes of this discussion, let’s assume you have the data right now. So, you jump to your provider’s monitoring console and extract the relevant information. It’s not available from the provider? Maybe you can connect to each edge device to pull the data. Another console will be needed to check your backbone’s performance as well. Still, another console might be needed to ensure QoS and bandwidth rules aren't throttling the line. And a fourth interface will need to be consulted to be sure a misconfigured firewall rule isn’t blocking access for some users. Your IT team has had to juggle four or five consoles, already. With each one, they had to master the product set and interface nuances to extract the needed information but there’s more. For complex problems, you'll want to correlate event data across the platform. This means exporting the data, assuming that’s possible, into a common platform for analysis. You’ll need a tool that can ingest the various data sources, store the data into a data warehouse, normalize the data into a common format, graph the events out onto a timeline, and then give you the tools to filter and query appropriately. Or you can just use Cato Instant*Insight, a feature of the Cato management console, and available to all Cato customers. With Cato Instant*Insight security, routing, connectivity, system, and device management event data for the past year (and longer, if required) is available, correlated, and mapped onto a time frame for analysis. From a simple Kibana-like interface, customers can drill down to analyze problems from across their network (see figure below). [caption id="attachment_11219" align="aligncenter" width="1199"] By converging security and networking data into a common database, Cato was able to quickly introduce Cato Instant*Insight. This SIEM-like capability allows users to see all routing, security, routing, connectivity, system, and device management events (1). They can even drill down into a site to see network health events, such as packet loss metrics (2).[/caption] The Strategic Advantages of Convergence We’ve identified the benefits convergence brings across the network and security lifecycle. Faster and simpler deployment and rapid network expansion. Better network performance and deeper network visibility. Easier routine management and faster troubleshooting. These are all important, of course, but convergence has even greater, strategic implications as well. For too long, the sheer complexity of the enterprise networks has burdened IT with hidden costs at every level. Capital costs, for example, remain high. They’re dictated, in part, by the licensing fees companies pay to their suppliers. And although networking solutions will share some functionality, such as packet processing, (de)encryption, and deep packet inspection (DPI), each must redevelop the technology for itself, failing to pass potential savings onto the customer. Operational costs also increase in every part of the lifecycle with each new solution. For every new product adopted, IT must learn about the markets, evaluate their options, and then deploy, integrate, and maintain solutions. The whole process consumes precious staff resources. Staffing requirements remain high. IT must find individuals who have first mastered the arcane commands needed to extract the necessary data from their various IT solutions. This leads to IT teams that are built based on vendor and appliance expertise, rather than on broad network and security administration and leadership skills. It’s like requiring people to master car mechanics before receiving their driver's license. Is it any wonder IT faces a staffing problem? And each solution increases the risk to the company. Attackers are no longer only targeting government or the largest of companies. They’re going after everyone and none can afford to leave infrastructure unprotected. Yet with each new solution deployed, there comes another opportunity for penetration. IT must spend more time and effort of highly-skilled, and expensive, technical experts to ensure infrastructure is patched and kept current. Too often that’s not the case, which had led to attacks through VPN servers, routers, and, yes, third-party SD-WAN appliances. Convergence changes the IT operations paradigm. With one set of code, one data repository for all event data, a seamless interface becomes possible for the entire network. It presents IT with the tools to do what they need to do best and not sweat the grunt work. Trying to achieve that by piecing together existing devices and solution is impractical if not impossible. The technical problems are immense but don’t discount the business disincentives. The management console is too important for vendors to expect them to give up on their interface. It’s a major tool for differentiation from the competition. Which is one major reason why, beyond any technical challenges, forming a single-pane-of-glass into networking and security has been so challenging for so long. Only a platform built for convergence can deliver the benefits of convergence.

The disadvantages of VPNs for Enterprises

The COVID-19 outbreak led to a surge in business VPN usage in an extremely short timeframe. In fact, multiple regions saw VPN usage rise over... Read ›
The disadvantages of VPNs for Enterprises The COVID-19 outbreak led to a surge in business VPN usage in an extremely short timeframe. In fact, multiple regions saw VPN usage rise over 200% in a matter of weeks. In many cases, remote access VPNs enabled enterprises to get work from home initiatives off the ground quickly and keep their business running, despite offices being closed. However, as they settle into the new normal, many enterprises are also learning that there are several VPN disadvantages as well. Scalability, performance, and security can all become challenges with remote access VPN. SDP (software-defined perimeter) provides enterprises with a solution to the disadvantages of VPN. By taking a software-defined approach to remote access and network security, SDP (sometimes referred to as ZTNA or Zero Trust Network Access) helps address these challenges in a way that is more sustainable long-term. But what exactly sets SDP apart from traditional remote access VPN? Let’s find out. Of course, VPN isn’t without its upside Remote access VPNs provide enterprises with a means to enable remote work. A virtual or physical appliance within the WAN, the public Internet, and client software on employee PCs is often sufficient to support work from home initiatives. In many cases, this exact sort of remote access VPN configuration helped businesses keep the lights on when the pandemic hit. [boxlink link="https://catonetworks.easywebinar.live/registration-85?utm_source=blog&utm_medium=top_cta&utm_campaign=Using_SASE_For_ZTNA_webinar"] Watch the episode - Using SASE For ZTNA: The Future of Post-Covid 19 IT Architecture [/boxlink] VPN disadvantages While it is true remote access VPN saved the day for some businesses, it’s also true that the increased usage has further magnified some of the biggest VPN disadvantages. #1: Not designed for continuous use The use case for remote access VPN was never to connect an entire enterprise to the WAN. Traditionally, enterprises purchased VPN solutions to connect a small percentage of the workforce for short periods of time. With a shift to large-scale work from home, existing VPN infrastructure is forced to support a continuous workload it wasn’t intended for. This creates an environment where VPN servers are subject to excessive loads that can negatively affect performance and user experience. #2: Complexity impedes scalability Enterprises may try to address the issue of VPN overload with additional VPN appliances or VPN concentrators, but this adds cost and complexity to the network. Similarly, configuring VPN appliances for HA (high availability) adds more cost and requires more complex configuration.Further, because VPN servers provide remote access, but not enterprise-grade security and monitoring, they must be complemented by management solutions and security tools. These additional appliances and applications lead to even more configuration and maintenance. As each additional solution is layered in, the network becomes more complex and more difficult to scale. #3: Lack of granular security VPN appliances are a textbook example of castle-and-moat security. Once a user connects via VPN, they have effectively unrestricted access to the rest of the subnet. For some enterprises, this means non-admin users have network access to critical infrastructure when they shouldn’t. Further, this castle-and-moat approach increases the risk of malware spread and data breaches.To add granular security controls to remote access VPN, enterprises often have to deploy additional security point-solutions, but this adds additional cost and complexity while leaving plenty of room for misconfiguration and human error. #4: Unpredictable performance VPN connections occur over the public Internet, which means network performance is directly tied to public Internet performance. The jitter and packet loss common to the Internet can wreak havoc on mission critical apps and user experience. Additionally, enterprises with a global footprint know that there are significant latency challenges when attempting to send Internet traffic across the globe, before we even take into account the additional overhead VPN tunneling adds. #5: Unreliable availability Beyond unpredictable performance, enterprises that depend on the public Internet for remote access get no availability guarantees. When public Internet outages mean lost productivity for your entire organization, the risk of depending solely on the public Internet can outweigh the rewards significantly. How SDP addresses remote access VPN disadvantages SDP, when used as part of a holistic Secure Access Service Edge (or SASE) platform, directly addresses VPN’s disadvantages and provides enterprises with a scalable and reliable remote network access solution. SASE is a category of enterprise networking that converges network and security functionality into a unified cloud-native service. SDP, which is an important part of the SASE framework, is a modern approach to remote application access that has global performance optimization, threat protection, and granular access controls built in. The idea behind SDP is simple: √ Users securely authenticate (e.g. using MFA and encrypted network protocols) √ Access rights are assigned based on profiles and specific applications √ Risk assessment occurs continuously during each user session Using Cato’s SASE platform as an example, with SASE and SDP, enterprises gain a remote access solution that: Is built for continuous access. Cato’s globally distributed cloud-native platform is purpose built for continuous access. Enterprises don’t have to worry about overloading a single VPN appliance with cloud-native infrastructure. Additionally, performance optimization and HA are built into Cato’s global private backbone, eliminating many of the performance issues that created VPN’s dependence on the public Internet. Delivers hyper-scalability. Enterprises don’t need to add more appliances to scale. SDP and SASE bring the hyper-scalability of the cloud to remote access. Provides granular access control. SDP allows enterprises to design access controls at the application-level and based on user profiles. This leads to a significant reduction in risk compared to VPN’s network-level approach. Proactively protects against threats. With SDP, network traffic goes through end-to-end packet inspection using a robust cloud-based security stack designed to detect and prevent malicious behavior. This occurs without the need to deploy and maintain additional security solutions. Is backed by a 99.999% uptime SLA. Cato’s global private backbone consists of more than 50 PoPs interconnected by Tier-1 Internet Service Providers and backed by a 99.999% uptime SLA. In a time where entire workforces are remote, this guarantee of availability can make a world of difference. All this comes together to make SASE and SDP an ideal remote access VPN alternative. Want to learn more about remote work, SDP, and SASE? Enterprises are learning remote access VPN may not be the right long-term solution as we adjust to the new normal. Many are also learning that SASE and SDP are ideal for enabling secure, reliable, and high-performance remote work that can scale. If you’d like to learn more about how SDP and SASE can address the challenges of legacy VPN, download our eBook Work from Anywhere for Everyone. If you’d like to see the Cato SASE platform in action for yourself, contact us or sign up for a demo today.  

Cloud Native, COVID-19, and True Secure Access Service Edge – What The 2020 Gartner Hype Cycles Taught Us

For the second year in a row, Cato Networks was recognized as a Sample Vendor in the Secure Access Service Edge (SASE) category in the... Read ›
Cloud Native, COVID-19, and True Secure Access Service Edge – What The 2020 Gartner Hype Cycles Taught Us For the second year in a row, Cato Networks was recognized as a Sample Vendor in the Secure Access Service Edge (SASE) category in the Gartner Hype Cycle for Enterprise Networking, 2020.1 Cato was also recognized as Sample Vendor in three other categories including SD-WAN, Firewall as a Service (FWaaS), and Zero Trust Network Access (ZTNA) in the Hype Cycle for Network Security 2020.2 In our opinion, it's unique for a vendor to be acknowledged for the same platform — not multiple, discrete products sold by the same vendor. The report also taught us quite a bit more about SASE since its introduction nearly a year ago. Here are some of the key highlights and insights. SASE in, SD-WAN Out What was an anomaly a year ago has become a phenomenon. In under a year, SASE has become widely accepted across the industry. Today, it’s understood that SD-WAN and security must come together. The days of standalone SD-WAN (without any stated security strategy) are past. The embracement of SASE is the best indicator of this trend. Writes Gartner, “While the term originated in 2019, the architecture has been deployed by early adopters as early as 2017. By 2024, at least 40% of enterprises will have explicit strategies to adopt SASE, up from less than 1% at year-end 2018. By 2023, 20% of enterprises will have adopted SWG, CASB, ZTNA, and branch FWaaS capabilities from the same vendor, up from less than 5% in 2019.”1 SASE adoption reflects the shift towards a workforce that works from anywhere, accessing resources that are no longer confined to private datacenters. Writes Gartner, “Although the term is relatively new, the architectural approach (cloud if you can, on-premises if you must) has been deployed for at least two years. The inversion of networking and network security patterns as users, devices, and services leave the traditional enterprise perimeter will transform the competitive landscape for network and network security as a service over the next decade, although the winners and losers will be apparent by 2022." One of the major motivations for SASE has been the shift to work-from-home. Writes Gartner, “COVID-19 has highlighted the need for business continuity plans that include flexible, anywhere, anytime, secure remote access, at scale, even from untrusted devices. SASE's cloud-delivered set of services, including zero trust network access, is driving rapid adoption of SASE.”1 As such, enterprises are encouraged to look at one, converged solution for branch offices and remote access. Writes Gartner, “Combine branch office and secure remote access in a single implementation, even if the transition will occur over an extended period.”1 Architecture Matters: True SASE Services Are Cloud Native More so than evaluating specific features, SASE offerings should be evaluated on their architecture. Delivering a cloud-native architecture for security and networking capabilities is critical. Writes Gartner, “True SASE services are cloud-native — dynamically scalable, globally accessible, typically microservices-based and multitenant.” 1 Simply linking together discrete appliances does not meet this need. Writes Gartner, “Avoid vendors that propose to deliver the broad set of services by linking a large number of products via virtual machine service chaining.”1 The Shift to a Cloud-Native Architecture Threatens Incumbents The emphasis on the cloud will be disruptive for many. Writes Gartner, “There have been more than a dozen SASE announcements over the past 12 months by vendors seeking to stake out their position in this extremely competitive market. There will be a great deal of slideware and marketecture, especially from incumbents that are ill-prepared for the cloud-based delivery as a service model and the investments required for distributed PoPs. This is a case where software architecture and implementation matters.”1 Adopt SASE Through Network Transformation The shift to SASE can occur through the natural migration and development of the network. Gartner encourages enterprise IT to “Leverage a WAN refresh, firewall refresh, VPN refresh or SD-WAN deployment to drive the redesign of your network and network security architectures.” Enterprises are told to “Use cost-cutting initiatives in 2020 from MPLS offload to fund branch office and workforce transformation via the adoption of SASE.”1 Cato Delivers True SASE Not SASE Hype Cato converges security and networking into a global, cloud-native platform that interconnects all edges — sites, users, applications, and cloud resources. At the core of the Cato Cloud is a global private backbone spanning 58 PoPs that extends the full range of Cato’s networking and security capabilities to every location and user worldwide. As the SASE market matures, the importance of a cloud-native architecture is becoming ever more critical. As we noted earlier, Gartner writes, “True SASE services are cloud-native — dynamically scalable, globally accessible, typically microservices-based and multitenant.”2 In our opinion, this SASE definition breaks away from the appliance-centric, and service chained model of legacy architectures. Today, Cato has more than 600 SASE customers worldwide, connecting thousands of locations, and nearly 200,000 mobile users. Cato has been delivering its SASE architecture since 2017 to enterprises of all sizes. To learn more, read the Gartner Hype Cycle for Network Security, 2020, for a limited time. the text of the SASE category from the two recent Hype Cycle reports. the press release about Cato’s recognition in these two recent Hype Cycle reports. about Cato’s SASE offering, visit https://www.catonetworks.com/SASE Visit our blog to learn more about SASE from these two recent Gartner Hype Cycle reports. To read the press release about Cato’s recognition within these two recent Hype Cycle reports visit here. To see the complete SASE text from the Hype Cycle, download The Gartner Hype Cycle for Network Security 2020. To read the press release about Cato’s recognition within the Hype Cycle, visit https://www.catonetworks.com/news/cato-in-the-gartner-hype-cycle-for-network-security-2020 To learn more about Cato’s SASE offering, visit https://www.catonetworks.com/SASE 1 Gartner, "Hype Cycle for Enterprise Networking, 2020” Andrew Lerner, Danellie Young, July 8, 2020. 2 Gartner, "Hype Cycle for Network Security, 2020” Pete Shoard, June 30, 2020. Gartner Disclaimer Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

How to Prepare for Long-term Remote Work, Post-Pandemic

Millions of people have been told to work from home (WFH) to support social distancing edicts during the pandemic. While many countries have now loosened... Read ›
How to Prepare for Long-term Remote Work, Post-Pandemic Millions of people have been told to work from home (WFH) to support social distancing edicts during the pandemic. While many countries have now loosened their restrictions and allowed some workers to return to their places of employment, there are indications that WFH could be long-lasting or even permanent for some. In a March 30 survey of 317 CFOs and business finance leaders conducted by Gartner, nearly 75 percent of those surveyed expect that at least 5 percent of their workforce who previously worked in company offices will become permanent WFH employees after the pandemic ends. This shift to remote work has big implications for enterprise networks. Network managers who had to quickly put the resources in place to support a temporary WFH mandate will need to rethink how to sustain remote work for the long-term. There are three areas, in particular, that we believe are critically important in supporting a remote workforce: network access, security, and enterprise communications. Remote Workers Need Network Access Comparable to In-Office Workers To accommodate the sudden surge of home-based workers, network managers might have ordered a slew of new VPN licenses, and maybe even a larger firewall or VPN appliance, to connect people to the corporate network. However, access via VPN can be notoriously slow, especially as traffic is backhauled back across the Internet to the VPN server. VPNs also can harbor significant vulnerabilities, an issue we noted in a recent post. NIST’s Vulnerability Database has published over 100 new CVEs for VPNs since last January. For these reasons, VPNs should not be viewed as a permanent solution for remote workers. Rather, people working from home on a full-time basis need network access that is comparable to in-office workers—reliable, good performance, easy to use, and secure. As the world's first global Secure Access Service Edge (SASE) platform, Cato includes remote access with SD-WAN in one single platform. Enterprises can choose how to securely connect remote and mobile users to their enterprise resources and applications. Cato Client is a lightweight application that can be set up on a user’s device in minutes. It automatically connects the remote user to the Cato Cloud and from there they can access the same resources and applications they could access from any branch office. Cato’s clientless access solution allows optimized and secure access to select applications through a browser. Users navigate to an Application Portal, which is globally available from all of Cato’s 50+ PoPs, authenticate with the configured SSO, and are instantly presented with their approved applications. [caption id="attachment_10102" align="aligncenter" width="1564"] With Cato’s clientless option, users are presented with a dashboard of approved applications. Clicking on an icon launches them directly into the application.[/caption] Security is Essential to Enable Working From Home Remote work often puts the employee outside the network defense perimeter. Therefore, any WFH practices have to consider two aspects of security, those being network access control and protecting the home-based worker from cyber-attack. A VPN establishes a secure, encrypted connection so that a remote user’s traffic can travel over a public, unsecured, unencrypted network privately and safely. Other than encrypting the traffic in transit, a VPN has little else to offer in terms of securing the user’s ability to access the enterprise network and providing functions such as threat detection and mitigation. Security, overall, is where Cato really shines because security is inherent in the network. It begins with the user login to the enterprise network. Cato is integrated with identity providers to provide strong authentication and a single-sign-on (SSO) experience. Using authentication services, like Microsoft 365 or Azure AD, as the remote access SSO will ensure that users securely authenticate through interfaces they are already familiar with. And, enabling multi-factor authentication at the identity provider will automatically enforce it to the remote access user’s authentication, further strengthening remote access security. The remote user’s traffic is fully inspected by Cato’s security stack, ensuring enterprise-grade protection to users everywhere. Cato’s access controls (Next Generation Firewall, Secure Web Gateway), Advanced Threat Protection (IPS, next generation anti-malware) and managed threat detection and response (MDR) capabilities are enforced globally, ensuring that remote users benefit from the same protection as office users. Unified Communications Help All Workers Collaborate, No Matter Where They Are Many organizations have adopted Unified Communications (UC) or UC-as-a-Service (UCaaS) to promote collaboration across the enterprise. All workers need consistent and reliable access to services such as voice, video, web conferencing, email, voice mail, messaging, screen and document sharing, and scheduled meetings. It’s critical that remote/WFH workers have these same tools to maintain virtual presence, if not physical presence, with their colleagues in the office. And while Cato doesn’t offer UCaaS as part of the Cato Cloud network, our network is optimized in several ways to support this type of service. UCaaS quickly becomes a critical application for many organizations, which makes securing UCaaS against disruption particularly important. Cato addresses this problem by converging security services into the network. Next-generation firewall (NGFW), intrusion prevention service (IPS), advanced threat protection, and network forensics are converged into Cato Cloud, protecting UCaaS and all traffic from Internet-borne threats. Cato minimizes packet loss and latency – the enemy of call quality – through loss correction, and by eliminating backhaul and avoiding the unpredictable public Internet. Backhaul is eliminated by sending UCaaS traffic directly across the Cato network to the Cato PoP closest to the UCaaS destination. And as Cato and UCaaS providers like RingCentral often share the same physical datacenters, public Internet latency is minimized. Cato overcomes congestion and last-mile packet loss that often degrade UCaaS service quality. Sophisticated upstream and downstream Quality of Service (QoS) ensure UCaaS traffic receives the necessary bandwidth. Policy-based Routing (PBR) along with real-time, optimum path selection across Cato Network minimizes packet loss. And finally, Cato overcomes last-mile availability problems by sending traffic across multiple last-mile links (active/active mode; other options, such as active/passive and active/active/passive are also available). In the event of a brownout or blackout, UCaaS sessions automatically failover to the secondary connection fast enough to preserve a call. Brownouts are also mitigated by various Packet Loss Mitigation techniques. Making the Remote Office a Safe Haven for Work The coronavirus pandemic is changing business and work life in many ways. Employees who have receded to the safe recesses of their homes may never venture to the office again. Network managers need to consider how to keep WFH employees as effective and productive as if they were still in a corporate office, and this includes network access, security and collaborative communications.

The Path of a Packet in Cato’s SASE Architecture

The business environment is in a state of continuous change. So, too, are the supporting technologies that enable a business to rapidly shift priorities to... Read ›
The Path of a Packet in Cato’s SASE Architecture The business environment is in a state of continuous change. So, too, are the supporting technologies that enable a business to rapidly shift priorities to adapt to new market conditions and customer trends. In particular, the emergence of cloud computing and user mobility have increased business agility, allowing rapid response to new opportunities. The network of old needs to change to accommodate the phenomenal growth of cloud and mobility. It’s impractical to centralize a network around an on-premise datacenter when data and applications increasingly are in the cloud and users are wherever they need to be—on the road, at home, at a customer site, in a branch office. Incorporating the Internet into the enterprise network reduces costs and lets companies connect resources anywhere, but security is paramount. Security must be an inherent part of the network, which is why Gartner expects networking and security to converge. They’ve dubbed this converged architecture SASE, or secure access service edge. SASE moves security out of the legacy datacenter and closer to where users, data and applications reside today. In this way, security comes to the traffic, rather than the traffic going to security. Just what does it all mean in terms of how a data packet flows through this converged architecture to get from Point A to Point B? Let’s break it down to the various network stages to discuss how Cato applies security services and various optimizations along the way. The Last Mile: Just Enough Smarts to Bring Packets to the Cato PoP Start with the traffic being sent from a user in an office across “last mile” or what some might call the “first mile.” (Cato connects remote users and cloud resources as well, but we’ll focus on site connectivity in this example.) The user’s traffic is sent to Cato’s SD-WAN edge device, the Cato Socket, sitting on the local network. The Cato Socket provides just enough intelligence to get the packet to the Cato point of presence (PoP), which is where the real magic happens. The Cato Socket addresses issues that can impact delivering the packet across the last mile to the nearest Cato PoP. The Socket classifies and dynamically routes traffic based on application type and real-time link quality (packet loss, latency, utilization). Robust application-prioritization capabilities allow enterprises to align last-mile usage with business needs by prioritizing and allocating bandwidth by application. Latency sensitive applications, such as voice, can be prioritized over other applications, such as email. Enterprises also can prioritize bandwidth usage within applications using Cato’s identity-aware routing capabilities. In this way, for example, sales VoIP traffic can be  prioritized above generic voice traffic. And Cato overcomes ISP packet loss and congestion in the mile by sending duplicate packets over multiple links. The Middle Mile: Improving the Network While Protecting Users When the packet arrives at the Cato PoP, it’s decrypted and then Cato applies its suite of network and security optimizations on the packet. Cato independently optimizes the middle mile. Every one of our 50+ PoPs are interconnected with one another in a full mesh by multiple tier-1 carriers with SLAs on loss and latency. When traffic is to be sent from one PoP, Cato software calculates multiple routes for each packet to identify the shortest path across the mesh. Cato also consistently measures latency and packet loss of the tier-1 carriers connecting the PoPs. Traffic is placed on the best path available and routed across that provider’s network end-to-end. Direct routing to the destination is often the right choice, but in some cases traversing an intermediary PoP or two is the more expedient route. Routing across a global private backbone end-to-end also reduces packet loss that often occurs at the handoff between carriers. Next, each Cato PoP acts as TCP proxy to maximize the transmission rate of clients, increasing total throughput dramatically. Our customers frequently report 10x-30x improvement in file download speeds. In addition to network improvements, Cato also provides a fully managed suite of enterprise-grade and agile network security capabilities directly built into the Cato Global Private Backbone. Current services include a next-gen firewall/VPN, Secure Web Gateway, Advanced Threat Prevention, Cloud and Mobile Access Protection, and a Managed Threat Detection and Response (MDR) service. Unlike other SASE vendors that treat network and security deep packet inspections as serial activities, Cato puts all packets through a process of inspection for network optimization and security—thus providing a real boost to performance. Cato uses a single DPI engine for both network routing and security decisions. The packet is decrypted and all security policy enforcements and network optimizations are done in parallel. The security policy enforcement refers to the security capabilities of Cato—NGFW to permit/prevent communication with a location/user/IP address; URL filtering to permit/prevent communication with Internet resources anti-malware (advanced and regular) inspection; and network-based threat prevention. This allows for maximum efficiency of packet processing. The Last, Last Mile: Reaching from Cato to Destination Packets are directed across the Cato private backbone to the PoP closest to the destination. The packet egresses from the PoP and is sent to the destination. For cloud applications, we set egress points on our global network to get internet traffic for specific apps to exit at the Cato PoP closest to the customer application instance (like Office 365). For cloud data centers, the Cato PoPs collocate in datacenters directly connected to the Internet Exchange Points (IXP) as the leading IaaS providers, such as Amazon AWS, and Microsoft Azure. This means that we are dropping the traffic right in the cloud’s data center in the same way premium connections (like Direct Connect and Express Route) work. These are no longer needed when using Cato. Summary Enterprises today need a network with the capabilities and flexibility to meet their business challenges. By adding security into the network stack, as Cato’s SASE architecture does, the network can be more efficient in helping the enterprise achieve its business goals. With Cato’s SASE platform, branches send data along encrypted tunnels across Internet last miles to the nearest PoP. Cato’s one-pass architecture applies all security inspections and network optimizations in parallel to the packet. The packet is then sent across Cato’s optimized middle mile to the datacenter.

How Can Organizations Improve Network Performance?

Often, when speaking with network managers responsible for infrastructure within a multinational or global enterprise, I hear first-hand accounts of the impact of sluggish network... Read ›
How Can Organizations Improve Network Performance? Often, when speaking with network managers responsible for infrastructure within a multinational or global enterprise, I hear first-hand accounts of the impact of sluggish network performance. For example, videoconferences between engineers and product managers on separate contents can be brought to a standstill because of packet loss or latency. Similarly, slow networks can lead to painfully slow file transfers for large media files or CAD (computer-aided design). Further, poor network speeds can limit an enterprise’s ability to use cloud platforms to their full potential. These conversations invariably wind up in the same place: how can the modern digital business improve network speed? And what does that look like in practice? Here, we’ll explore just that. Top Five Ways to Improve Network Performance Reduce latency, add capacity, and/or compensate for jitter and loss are obvious high-level answers to most WAN optimization challenges, but doing so effectively is where the real challenge lies. For the modern WAN, just throwing money at the problem and buying more capacity or more expensive network gear isn’t always the right answer. That means understanding the underlying problem (beyond “the network is slow”) and solving for that. #1. Improve Middle Mile Performance When MPLS (multiprotocol label switching) was the de facto WAN connectivity standard, enterprises often had a reliable, albeit expensive and inflexible, middle mile connection they could count on for enterprise-grade connectivity. However, as cloud and mobile grew in popularity, the inflexibility and cost of MPLS began to drive enterprises away. For example, the trombone effect (the inefficient backhauling of cloud bound traffic through a specific network endpoint) often meant MPLS connectivity to cloud assets was worse than standard Internet connections. As a result, businesses turned to SD-WAN and Internet-based VPN solutions as an alternative. Unfortunately, because of the well-known problems with the public Internet, this meant an increase in latency across the middle mile. The solution? An approach that provides the reliability of MPLS across a private backbone while also offering optimized connectivity for cloud and mobile. This is exactly what Cato Cloud was purpose-built to do. With a global private backbone supported by a “five nines” (99.999%) uptime SLA and strategically placed PoPs (Points of Presence) around the world (many sharing a datacenter footprint with major cloud service providers), Cato can provide reliable, low-latency middle mile connectivity without sacrificing the flexibility of SD-WAN. #2. Optimize Cloud Connectivity The cloud is ubiquitous within modern digital businesses. With more and more critical workloads being shifted to the cloud every day, the importance of fast and reliable network connectivity is growing. We’ve already alluded to the challenges MPLS and the public Internet pose to the WAN in general, and they become further magnified when you take public cloud services into account. In many cases, enterprises are turning to expensive premium solutions like Azure ExpressRoute or AWS Direct Connect to optimize cloud connectivity. The idea is simple: a direct connection to the cloud data center overcomes many of the network challenges related to accessing cloud assets. However, many platform-specific solutions cannot account for all the cloud workloads within an enterprise. Email, CRM (customer relationship management) software, and collaboration tools may all come from different cloud service providers. This is why a solution that bakes cloud optimization into the underlying network infrastructure is important. For example, with Cato Cloud, enterprises can eliminate the need for costly premium solutions and provide an agentless integration to connect to cloud datacenters in a matter of minutes. Further, the converged approach Cato takes simplifies security and network visibility. Again, this is because the solution, in this case a full network security stack, is built into the cloud native infrastructure. #3. Eliminate Packet Loss Packet loss can wreak havoc on collaboration solutions such as VoIP and UCaaS (Unified Communications as a Service). Lost packets can be the difference between a productive business call or one where both ends become incoherent to one another. The challenge in the underlying causes of packet loss can be anything from overworked routers to network congestion to software bugs. Cato’s cloud native infrastructure helps solve the packet loss problem using multiple built-in features including: business process QoS, dynamic path selection, active-active link usage, packet duplication, and fast packet recovery. While roughly 1% packet loss can cause VoIP call issues under normal circumstances, RingCentral testing has shown Cato can deliver high-quality voice calls while experiencing more than 15% packet loss. #4. Proxy TCP Connections Fundamentally, TCP (Transmission Control Protocol) connections inherently add more overhead than their UDP (User Datagram Protocol) counterparts. At scale, this leads to scenarios where TCP connections can significantly contribute to network congestion and reduce throughput. Cato PoPs help enterprises address this issue by proxying TCP connections to make clients and servers “think” they are closer together and allow for larger TCP windows. Further, TCP congestion control functionality enables optimization of bandwidth utilization. #5. Aggregate Last Mile Connections Blackouts and brownouts in the last mile of WAN connections continue to be one of the most difficult network performance challenges to solve. This is because the issues that can occur in the last mile and the infrastructure quality across the globe vary greatly. Aggregating last mile connections, ideally in an active/active configuration, allows enterprises to protect against the challenges of the last mile and improve network performance. Cato Cloud takes connection aggregation a step further and proactively monitors for both blackouts and brownouts and enables automatic failover when appropriate. Additionally, Policy-based Routing (PbR) helps ensure the optimum path is used every time. Convergence is Key Improving network performance given any particular network problem is one thing, but providing enterprise-grade connectivity at scale requires a holistic approach. This is where the converged approach of Cato’s SASE (Secure Access Service Edge) model shines. Optimizations and security features are inherently part of the network, simplifying deployment and management while also solving real-world network performance challenges. In fact, the simplified and streamlined approach is one of the things Yoni Cohen, CTO of CIAL Dun & Bradstreet, found most valuable about his Cato rollout: “I love what Cato is doing. They take an area that is complicated and make it easy,” says Cohen. “What we have done with them so far has made a meaningful impact on our ability to have a smooth transition to a unified company network and allowed this to be one thing that we’re not worried about.” If you’d like to learn more about how Cato Cloud can help your enterprise, take a look at a demonstration or contact us today.

Advanced Network Security Technologies

Since the release of Gartner’s Market Guide for Zero Trust Network Access (ZTNA) last April, ZTNA has been one of the biggest buzzwords in network... Read ›
Advanced Network Security Technologies Since the release of Gartner’s Market Guide for Zero Trust Network Access (ZTNA) last April, ZTNA has been one of the biggest buzzwords in network security, and for good reason. A policy of zero trust helps enterprises limit exposure to the myriad of threats facing the modern network. However, ZTNA alone isn’t enough to maintain a strong security posture. Enterprises also need intelligent, flexible, and robust security technologies capable of enforcing the granular security policies ZTNA demands and proactively detecting and preventing threats to the network. This means enterprises need to do away with the “castle and moat” approach to security and adopt modern security solutions. But what does that look like in practice? Let’s find out. Castle and moat alone doesn’t cut it anymore In the early 2000s, most mission critical data within a WAN flowed between corporate data centers and offices. Mobile users and cloud computing weren’t the norm like they are today. This made the “castle and moat” approach to security viable. The idea behind the castle and moat approach is straightforward: if you fortify the network perimeter well enough, using security policies, firewalls, proxies and the like, your internal network will remain safe. As a result, security practices within a network didn’t necessarily have to be as strict. However, not only have modern threats poked holes in this approach, cloud and mobile have shifted the paradigm. Network perimeters are no longer clearly defined and static. They also extend beyond the walls of corporate offices and datacenters out to cloud datacenters and anywhere an employee has a smart device with Internet access. This change not only drove a shift away from MPLS (Multiprotocol Label Switching), it changed how security is implemented within enterprise networks. To account for the new dynamic nature of modern networks, enterprises are adopting Zero Trust Network Access (ZTNA) approaches to security sometimes referred to as Software Defined Perimeter (SDP). The idea behind ZTNA is simple: by default, trust no one (internal or external) and grant only the minimum required access for business functions. Cato Cloud’s approach to ZTNA makes it easy to implement at a global scale because policies are implemented using the cloud-native technologies baked into the underlying network. Network security technologies for the modern digital business Of course, there is more to securing a network than just ZTNA. Modern security technologies are required to detect, prevent, and mitigate threats and breaches across a network. Specific network security technologies that help meet these requirements include: Next-generation Firewall (NGFW) NGFWs are application-aware firewalls that enable in-depth packet inspection of inbound and outbound network traffic to ensure enforcement of security policies. NGFWs can drill down beyond IP addresses, TCP/UDP ports, and network protocols to enforce policies based on packet content. Secure Web Gateway (SWG) Web-borne malware is one of the biggest threats facing enterprise networks today. SWGs focus on inbound and outbound Layer 7 packet inspection to protect against phishing attacks and malware from the Internet. Anti-malware Anti-malware engines use both signature and heuristic-based techniques to identify and block malware within a network. Intelligent anti-malware engines are an important safeguard against zero-day threats or modifications of malware designed to avoid detection based on signature alone. Intrusion Prevention System (IPS) IPS protection engines help to detect and prevent threats to the network perimeter. The Cato Cloud IPS Protection Engine is a fully-managed, context-aware, and machine learning enabled solution. The cloud-native advantage While each of these network security technologies alone can enhance a network’s security posture, integrating them to the underlying network fabric, as is the case with Cato Cloud, goes a step further. When security technology is a part of the network fabric, you can avoid blind spots and endpoints that go unprotected. For example, while providing enterprise-grade security and SWG functionality for mobile users can be difficult or impossible with other solutions, every user (including mobile) connected to the WAN is protected with Cato Cloud. Additionally, you can eliminate many of the headaches of appliance-sprawl. Scaling, upgrades, and maintenance are simple because the cloud model abstracts away the complexities and simply provides enterprises with the solutions. The benefits of managed threat detection and response Of course, even with modern network security technologies in place, detecting, containing, and remediating breaches (which can still happen despite your best efforts), requires a certain amount of skill and expertise. This is where managed threat detection and response (MDR) can make a real difference for enterprises. For example, by using Cato’s MDR enterprises can benefit from: Automated threat hunting Intelligent algorithms search for network anomalies based on billions of datapoints in Cato’s data warehouse. Reduced false positives Potential threats are reviewed by security researchers that only alert based on actual security threats. Faster containment of threats Once a live threat is verified, automatic containment actions such as disconnecting affected endpoints and blocking malicious domains or IP addresses. Rapid guided remediation If a breach is identified, Cato’s Security Operations Center (SOC) provides advice detailing risk level recommended ways to remediate the situation. Further, the SOC will continue to follow up until the threat has been completely removed from the network. All this comes together to provide enterprises with a solution that can reduce dwell time and strain on IT resources. Just how effective is Cato MDR? Consider the Andrew Thompson’s, Director of IT Systems and Services at the fast-growing BioIVT, experience with Cato MDR: “Cato MDR has already discovered several pieces of malware missed by our antivirus system,” says Thomson, “We removed them more quickly because of Cato. Now I need to know why the antivirus system missed them.” Modern networks require modern network security technologies There’s no magic bullet when it comes to network security. Hackers will continue to come up with new ways to breach networks, and enterprises must remain diligent to avoid falling victim to an attack. By adopting security technologies that are converged and purpose-built for the modern digital business, you can help strengthen your enterprise’s security posture and lower your risk.

The WAN Accelerator and Modern Network Optimization

Network latency costs money. This is a simple concept most IT professionals understand. However, when I discuss latency reduction and WAN acceleration with network managers... Read ›
The WAN Accelerator and Modern Network Optimization Network latency costs money. This is a simple concept most IT professionals understand. However, when I discuss latency reduction and WAN acceleration with network managers and CIOs, one of the key takeaways is that getting network optimization right has changed significantly over the last decade. While WAN optimization and acceleration are still important, increased bandwidth availability, cloud, and mobile have significantly shifted the paradigm. So, what exactly are WAN accelerators and what is WAN acceleration in 2020? Here, we’ll answer those questions. What is a WAN accelerator Simply put, a WAN accelerator is any hardware or software appliance that provides bandwidth optimization across a WAN. There are a variety of different techniques that different WAN accelerators, also known as WAN Optimization Controllers (WOCs) use, and these include: Compression that reduces the amount of data sent across the network. Compression, in the context of WAN acceleration, typically operates at the byte-level and works in a similar fashion to file compression but applies to data in transit. Deduplication is similar to compression but operates on larger amounts of data, typically at the block level. Its goal, like compression, is to maximize the available bandwidth. Caching is another technique focused on reducing bandwidth usage. Caching stores frequently accessed data locally, eliminating the need to retransmit the data across the network. Protocol acceleration techniques improve protocol operation across the network, particularly in terms of reducing the latency introduced by inefficient protocol operation. Local flow control, selective acknowledgment, and window scaling are techniques that help enhance TCP connections. Application-specific acceleration techniques boost the efficiency of applications. While protocol acceleration improves the operation of the underlying network and specifically the TCP-layer, application-specific optimizations address the chattiness of application-layer protocols. Packet loss correction techniques, such as packet duplication, for overcoming packet loss particularly in the last mile. Generally, WAN acceleration appliances were deployed at locations across a WAN to achieve WAN optimization objectives. SD-WAN: The WAN accelerators for the modern digital enterprise? As we can see, in the past WAN acceleration was heavily focused on reducing bandwidth consumption between sites. This made sense when applications resided in the private datacenters and were accessed from branch offices across narrow, expensive MPLS circuits. However, today, applications and data have shifted to the cloud and accessed as much by mobile and remote users as those in the office, rendering appliances obsolete. And with Internet capacity far more readily available and more affordable than MPLS, conserving bandwidth is no longer nearly as critical. What is necessary is the ability to leverage Internet capacity in a way that can meet enterprise requirements. SD-WAN edge appliances run affordable, last mile public Internet services in active/active configuration. Not only does this give companies incredible agility in combining bandwidth capacity but also adds last mile resilience. In the event of a brownout or blackout, SD-WAN devices can switch traffic to the alternate service. And by including packet loss correction techniques, particularly packet duplication, SD-WAN devices can overcome last-mile connectivity problems. At the same time, edge-based SD-WAN continues to fall victim to the same limitations as any appliance. The short history of SD-WAN shows that an appliance-based approach works for site-to-site connections but continues to be a poor fit for the cloud and irrelevant to mobile devices. Additionally, the shift from MPLS to a public-Internet core, on which edge-based SD-WAN depends for its cost savings, introduces a myriad of challenges endemic to the modern Internet infrastructure that can negatively impact the performance of latency-sensitive applications, such as VoIP (Voice over IP) and UCaaS (Unified Communications as a Service). This creates a situation where the modern digital enterprise needs an approach to WAN optimization that keeps bandwidth costs low, resolves the reliability and latency challenges of the public Internet, and accounts for cloud & mobile use cases. The cloud-native approach to WAN optimization directly addresses all of these challenges.     The cloud-native approach to WAN acceleration Instead of hosting WAN acceleration in appliances at edge, the capabilities are increasingly being moved into the cloud. Making WAN acceleration part of a global, cloud-native platform, like Cato Cloud, eliminates the appliance form-factor that was so difficult to deploy in the cloud and irrelevant to mobile users. Instead, Cato and other cloud-native platforms let organizations use the optimum solution to connect their “edges” — a simple SD-WAN device for sites, native cloud connectivity for cloud resources, and client-based or clientless connectivity for mobile and remote users. Regardless traffic is sent to the nearest PoP where the cloud-native software accelerates traffic and delivers it across the Cato backbone to the respective edge. The PoPs of Cato Cloud are collocated in the same physical datacenters as the IXPs of the leading cloud datacenter providers. With a few clicks on a management console, cloud traffic can be sent across Cato’s accelerated backbone and dropped at the footstep of the cloud datacenter provider or at the PoP closest to the cloud application provider. Additionally, by segmenting connections in a last-mile, middle-mile (a global private backbone), last-mile paradigm Cato Cloud is able to recover from packet loss faster than SD-WAN appliances. As a result, Cato Cloud users benefit from: Optimized global connectivity. Cato’s global private backbone consists of 50+ PoPs supported by multiple Tier-1 Internet Service Providers and is backed by a 99.999% uptime SLA. This helps enterprises address the reliability and performance challenges of the public Internet across the middle mile without sacrificing flexibility for cloud and mobile applications. Network Optimization. Cato boosts end-to-end throughput by minimizing the effects of latency on traffic flow. Bandwidth-heavy tasks such as file uploads and downloads can improve by 20x or more. Cloud application acceleration. Cato routes traffic from cloud applications, such as UCaaS and Office 365, along the optimum path to the PoP closest to the customer’s instance in the cloud. Traffic is dropped off at the doorstep of the cloud application provider. In this way, Cato minimizes latency in cloud application sessions and by applying its WAN optimizations, further reduces the effects of latency. Cloud acceleration and control. Cato routes traffic from all WAN edges to the Cato Point of Presence (PoP) nearest to the cloud service provider’s datacenter. As Cato shares a datacenter footprint with many popular cloud service providers, latency from the Cato PoP to the provider is near zero. Further, Cato provides this functionality without the need for cloud appliances and without the additional cost of services such as AWS Direct Connect or Azure ExpressRoute. Mobile access optimization. Using clientless browser access with mobile or with the Cato Client application, enterprises eliminate the need for inefficient backhauling and remote users automatically connect to the closest Cato PoP and receive the same enterprise-grade optimization and protection as on-premises users. Just how much of a difference can Cato Cloud make in the real world? Looking at Salcomp’s experience Cato Cloud was able to provide a better than 40x throughput for Sharepoint file transfers. Modern WAN acceleration requires a modern approach WOCs were built to solve a specific set of problems that existed when bandwidth costs and availability were the primary WAN acceleration and optimization challenges. Today, cloud and mobile use cases coupled with reduced bandwidth costs have changed how enterprises need to approach optimization. Cato Cloud offers enterprises an approach to acceleration made for the digital business, one that optimizes traffic of all tenants of the new enterprise, not just locations. If you’d like to learn more about what Cato can do for you, contact us today or start a trial to put Cato Cloud to the test.  

The 4 Key Considerations for Extending Your Business Continuity Plan (BCP) to Home and Remote Workers

It’s a challenge not to think of a spreading health crisis when you’re crushed into a crowded train or bus, clutching a germ-infested pole and... Read ›
The 4 Key Considerations for Extending Your Business Continuity Plan (BCP) to Home and Remote Workers It’s a challenge not to think of a spreading health crisis when you’re crushed into a crowded train or bus, clutching a germ-infested pole and dodging a nearby cough. As the current crisis develops, enterprise business continuity planning and risk management will lead to millions of enterprise users working full time from home. Already we’ve seen the number of active remote or mobile users of the Cato Cloud rise 75 percent since early January, growing from about 10,000 users to 17,500 users. In fact, as this Bloomberg article highlights, we’re probably about to embark on the largest global work-at-home experiment in history. What does that mean for your business continuity planning and remote work strategy? Consider four categories: connectivity, performance, security, and management. Here’s a summary of each. Connectivity and Architecture IT has been supporting remote and mobile users for years, but a sudden spike in staff working from home full time is a whole new ballgame. Most won’t be connecting occasionally to check email or do some quick catchup at the airport, between meetings or after hours at the hotel. They’ll be on the network every workday for hours accessing enterprise applications, files, and data. Your current remote access infrastructure was likely never sized to cope with such a large, constant load, which means you’ll probably have to add or upgrade remote concentrators. In the best of times, this can take days or weeks, but hundreds or thousands of companies will also need similar upgrades. Aside from the corporate datacenter, most enterprise users will be accessing infrastructure and applications in cloud datacenters, which adds connectivity complexity, as we discuss in this eBook, Mobile Access Optimization and Security for the Cloud Era, and below. For security reasons, most organizations choose to route cloud traffic through datacenter security infrastructure first, then out to cloud datacenters many miles away, which adds latency to the home user’s cloud user experience. Datacenter network congestion is also an issue, one that Adroll, a company offering a marketing platform for personalized advertising campaigns, had to grapple with. Not only did backhauling remote user cloud traffic add latency to Adroll’s cloud user experience, but it also saturated the San Francisco Internet connection and created availability problems, as the San Francisco firewall had no geo-redundancy. “It puts a lot of stuff in one basket,” says Adroll’s Global Director of IT, Adrian Dunne. “Once the VPN on our primary firewall rebooted. Suddenly 100 engineers couldn’t work anymore.” Performance and User Experience Mobile and home VPN users often complain about remote access performance even when infrastructure is sized appropriately, thanks to the unpredictability, latency and packet loss inherent in the public Internet core. When accessing the cloud, the mobile experience can get so sluggish that users often abandon the corporate backhauling solution to access the cloud directly, opening significant security gaps. Many newer users also find themselves struggling with unfamiliar VPN client software, passwords, and connections to multiple cloud services. To make working at home a success, IT will have to find ways to simplify and speed up the user experience so it’s more like working at the office. This may mean considering alternatives to backhauling and running traditional VPN’s, which we discuss below. Security As more and more users work from home, security risks are bound to increase. More remote users mean more opportunities for threat actors to penetrate security defenses. Unfortunately, traditional VPN’s authenticate remote users to the entire enterprise network, allowing them to PING or “see” all network resources. Hackers have been known to exploit this opportunity, as they did with the infamous Home Depot and Target breaches of a few years ago, which took advantage of stolen VPN credentials. Once inside the network, a hacker is only one administrator password away from access to sensitive applications and data. That’s a big reason why IT security has been moving away from network-centric security towards software defined Zero Trust Network Access, which grants users access only to what they need when they need it. Enforcing security policies for many more remote users can also add latency and slow down performance. The alternative is to let mobile users connect directly to the cloud and deploy new cloud-based security solutions, such as secure Web gateways or secure access security brokers (CASB), that intercept connections before they reach the cloud. Users will still be contending with public Internet performance, however. Management Deploying client VPN software on thousands of new home users’ systems can take considerable resources and time that organizations may not have during a crisis. AdRoll found VPN onboarding of new users a very cumbersome process, especially for contractors. “Using the Mac’s management software to push out VPN configurations to users was a pain,” says Dunne. Dunne also had to send instructions for configuring the VPN client to each user. Once these users are onboard, IT also needs appropriate tools for managing and monitoring all those remote users, much as it does for its branch offices and other sites. Shifting to cloud-based Web gateways and CASB’s has its own overhead as well.     Cato’s SASE Solution Provides Access Needed for Remote Workers There is a solution that can solve many of these connectivity, security, performance and management issues: a cloud-native network such as the Cato Cloud. Built on the principles of Gartner’s secure access service edge (SASE), Cato connects mobile and remote workers to the same network, secured by the same security policy set, as those in the office. Rather than connecting to the corporate datacenter, then out to cloud applications, home users connect to their nearby cloud native network point of presence (PoP). From there they become part of a virtual enterprise WAN that the datacenter and branch offices access through their local PoPs as well. Cato locates its PoP infrastructure in some of the same datacenters as major cloud providers, including AWS and Microsoft Azure, allowing for fast direct connections to cloud services. Connectivity isn’t an issue. Cato’s cloud architecture is designed for massive scalability to support any number of new users regardless of session duration or frequency. They can work at home or in the office all day, every day and the Cato architecture will accommodate the load transparently. “Cato’s mobile VPN is my secret BCP [business continuity plan] in my back pocket,” says Stuart Gall then the infrastructure architect in the network and systems group at Paysafe. “If my global network goes down, I can be like Batman and whip this thing out.” “If my global network goes down, I can be like Batman and whip this thing out.” Performance improves by eliminating backhaul and inspecting traffic in the PoP rather than the datacenter. Home and mobile users bypass the unpredictable Internet middle mile and instead use the Cato backbone with its optimized routing and built-in WAN optimization to dramatically reduce latency and improve data throughput. The user experience improves in other ways. Users connect to all their applications and resources, whether spread across multiple clouds or in the private datacenters, with a single login. Getting users connected is easy. “The cherry on top was Cato’s VPN solution,” says Don Williams, corporate IT director at Innovex Downhole Solutions. It was the coolest technology I’ve seen. In less than 10 minutes we were connected through a VPN on the device. "The cherry on top was Cato’s VPN solution,” says Don Williams, corporate IT director at Innovex Downhole Solutions. It was the coolest technology I’ve seen. In less than 10 minutes we were connected through a VPN on the device.” Most of the security and network management is handled by the cloud provider, rather than enterprise IT. Cato’s Security as a Service provides a fully managed suite of agile, enterprise-grade network security capabilities, built directly into the Cato Global Private Backbone, including a next-generation firewall/VPN, a Secure Web Gateway, Advanced Threat Prevention, Cloud and Mobile Access Protection, and Managed Threat Detection and Response (MDR). Cato simplifies security management in other ways. “With firewall appliances, you install certificates from your firewall and only then you realize that when your user goes to another site, you again need to install another SSL certificate at that appliance,” says the IT manager at a leading EduTech provider, “With Cato, we were able to install a single certificate globally so we can do SSL decryption and re-encryption." Adding new home users to a cloud native network is a quick process that doesn’t require expensive, time consuming appliance upgrades. “With Cato, we just sent a user an invite to install the client,” says Dunne. “It’s very much like a consumer application, which makes it easy for users to install.” Adroll’s San Francisco chokepoint was eliminated, and Cato gave Dunne more granular control over permissions for mobile users. The current crisis will likely require a lot of quick action from IT to get users connected and working from home fast and securely. A cloud-native, SASE network can make the job faster and easier while giving all those home-based-workers a satisfying user experience.

From MPLS to SD-WAN to SASE: An Evolution of Enterprise Networking

The way we do business is changing. As critical business applications migrate to the cloud, and the mobile workforce continues to grow, networking and security... Read ›
From MPLS to SD-WAN to SASE: An Evolution of Enterprise Networking The way we do business is changing. As critical business applications migrate to the cloud, and the mobile workforce continues to grow, networking and security solutions need to evolve in order to meet the changing business needs. Gartner believes (and we agree) that the future of networking lies with SASE (Secure Access Service Edge) – the convergence of networking and security into one cloud service. Here’s why. 1990s - 2000s: MPLS and the Era of Clear Network Boundaries? Back in the day, networking models were hardware-centric and manually configured. Applications, data, and services lived within private datacenters and relied on remote access solutions to connect remote workers. Dedicated network connectivity, known as MPLS, was the preferred approach for connecting remote locations. MPLS provides predictable performance, low latency and packet loss, and central management. However, MPLS is expensive, capacity constrained, and provisioning of new links takes a long time. Alongside MPLS, Internet links co-existed as a lower quality and inexpensive alternative, which didn’t come with the performance and uptime guarantees of dedicated connectivity. Many organizations ended up integrating both into their networking environments in an active (MPLS), and passive backup (Internet). Regardless, the WAN became complex, costly and the epitome of lack of agility. Operational costs grew as administrators had to manually configure and deploy routers and appliances needed in the branch offices: WAN optimizers for overcoming bandwidth limitations, stacks of security appliances for defending the Internet perimeter, packet capture and analysis appliances for visibility and more. Maintaining such a setup was becoming increasingly difficult. 2000s – 2010s: Moving to Software-Defined WAN Next came the attempt to fill the gaps created by the limitations of MPLS and the public Internet with SD-WAN. SD-WAN automates the use of multiple links (MPLS, xDSL, Fiber, Cable, and 4G) to increase overall network capacity, improve agility to speed up site provisioning, automatically adjust to changing network conditions, and reduce overall cost per megabit. SD-WAN offers a cost-efficient and flexible alternative to MPLS, but SD-WAN alone can’t provide a complete WAN transformation. It fails to deliver the security, cloud readiness and mobility required to support the digital business. As a result, IT teams find themselves dealing with technological silos, built upon point products that are loosely integrated and separately managed. Today: Network and Security Delivered from the Cloud (SASE) In the digital age we all live in, enterprise networks must extend to the cloud, remote locations, and mobile users. This is easier said than done. IT traditionally responds to new business needs with point products. For example, SD-WAN is used to address the high cost and capacity constraints of MPLS; cloud acceleration and security appliances are deployed to support cloud migration; branch security and WAN optimization are needed for distributed locations; and VPN enables remote users to access business applications. This type of network architecture, built on a pile of point products and appliances, increases complexity and cost for IT, and is hard pressed to support the needs of the digital business for optimization, security and efficiency. As Gartner notes, “In essence, complexity is the enemy of availability, security and agility” *. There must be a simpler way. There is, and it’s called SASE. SASE is a new infrastructure category introduced by Gartner in 2019. It converges multiple point solutions such as SD-WAN, Next-gen firewalls, secure web gateway, Software defined perimeter (SDP), and more into a unified, global cloud-native service. SASE enables IT to provide a holistic, agile and adaptable service to the digital business. According to Gartner, “Digital transformation and adoption of mobile, cloud and edge deployment models fundamentally change network traffic patterns, rendering existing network and security models obsolete.” ** This is why Gartner considers SASE to be transformational, providing enterprises with an agile, scalable and elastic platform to support their digital business needs today, and into the future. * Gartner, “Avoid These 'Bottom 10' Networking Worst Practices,” Vivek Bhalla, Bill Menezes, Danellie Young, Andrew Lerner, 04 December 2017 ** Gartner, “Market Trends: How to Win as WAN Edge and Security Converge Into the Secure Access Service Edge,” Joe Skorupa and Neil MacDonald, 29 July 2019 Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

2019: A Year of Innovation and Validation for the Cato Vision

Today we announced our 2019 business results, and those results were nothing short of stellar. We saw massive growth in our customer base, explosion of... Read ›
2019: A Year of Innovation and Validation for the Cato Vision Today we announced our 2019 business results, and those results were nothing short of stellar. We saw massive growth in our customer base, explosion of channel interest and…. planetary alignment. Yes, the stars shifted in 2019, as the industry adoption of Cato’s revolutionary approach to networking and security came in the form of Gartner’s Secure Access Service Edge (SASE) architecture. By the end of 2019, more than 450 enterprises worldwide were relying on Cato Cloud to connect tens of thousands of locations and mobile users quickly and securely with the datacenter, the cloud, the network edge and each other. Customers chose the Cato SASE solution, integrating SD-WAN, security, mobility and a converged backbone for maximum performance, protection and agility. “We founded Cato five years ago on the premise that enterprise networking and security had to converge into the cloud and last year’s results are the clearest validation of that vision,” says Cato CEO Shlomo Kramer. Here’s an overview of some of last year’s highlights. SASE Makes Cato’s Convergence of Networking and Security into the Industry Standard In mid-2019, the Cato vision became part of a Gartner trend. The definition of SASE crystalized much of what Cato’s been saying since its inception. We have several blogs and a Web page devoted to SASE so I won’t go into it too much here, but Gartner analysts Neil McDonald and Joe Skorupa first introduced the term SASE in a July 9 Gartner Hype Cycle for Enterprise Networking, then dug into it more deeply in a July 29, 2019 Market Trends Report, How to Win as WAN Edge and Security Converge into the Secure Access Service Edge and an August 30, 2019 Gartner report, The Future of Network Security is in the Cloud. All these reports highlight the growing enterprise IT trends -- adoption of cloud-based services, global mobility and operational simplicity and agility -- we’ve been touting for five years. Gartner defines SASE as a unified cloud native service that integrates Wide Area Networking, network security functions and equal support for physical locations, cloud datacenters, branches, and mobile users. Sound familiar? Indeed, Gartner labelled Cato Networks a Sample SASE vendor. Cato is the first company to offer a fully functional global SASE platform. “Today, Cato is the industry standard for SASE,” says Shlomo. Our Customers and Channel Partners Get It Riding a Gartner trend has its benefits and we’ve certainly reaped them in the past year. “We’ve seen massive business growth, incredible customer traction and widespread industry endorsement of the Cato approach in the form of Gartner’s SASE framework,” says Shlomo. Indeed, we saw customer bookings grow by a massive 220 percent, doubling across all industries, and channel-led business also double. However, sheer growth is only a small part of the story. The real validation of the Cato vision: With the choice of adopting Cato SD-WAN alone or Cato’s full SASE solution, most chose SASE. More specifically, 70 percent of our customers chose SD-WAN with built-in advanced security delivered as a single integrated cloud service. Approximately half of our customers replaced their legacy MPLS service with Cato’s SD-WAN and converged global backbone, and Cato more than doubled the number of VPN licenses sold with SD-WAN. Most Cato customers have or will take advantage of our cloud optimization. Cato locates its PoPs in the same physical datacenters as leading cloud providers such as AWS and Microsoft Azure, minimizing latency between Cato and the cloud. Automotive industry manufacturer Komax is a great example of a company that reaped the benefits of the Cato vision by transitioning from managed appliance-based UTMs with SD-WAN to Cato. “As an IT organization, we were well familiar with the benefits of the cloud and wanted the same for our network infrastructure,” says Tobias Rölz, Komax VP of Global IT and Digital Business. “Cato allowed us to move intelligence and computation away from the edge SD-WAN appliance into the Cato Cloud. As a result, deploying branch SD-WAN became simpler, faster, with less operational costs than we experienced with a managed service running security processing on SD-WAN appliances.” Our customers certainly get it. The channel gets it too. Our channel partners reaped the value of leveraging the Cato SASE solution for new customer services, enhanced profits and customer value, and strong differentiation as evidenced by a 387 percent increase in upsell opportunities to existing customers. More than 200 certified partners have joined Cato’s Global Partner Program with Accelerated ROI since its launch mid last year. New Capabilities and Upgrades 2019 was also a year of solution enhancements. Cato added global Points of Presence (PoPs), now totaling more than 50, and more than 100 new features, notably, Managed Threat Detection and Response (MDR), with zero-footprint detection of endpoint malware and persistent threats via advanced machine learning and human anomaly verification. Once a threat is identified, Cato experts can guide customers through the remediation process. Instant Insight, offering advanced SIEM (Security Information and Event Management) capabilities without the usual complexity, investment and steep learning curve. Hands-Free Management, allowing customers to offload some or all security configuration and change management to Cato or one of its partners. Next Generation Anti-Malware, including zero-day threats, in partnership with SentinelOne. Compliance Upgrade Beefing up our robust information security is important to customers, who wrestle with the increasing sophistication of today’s hackers and data breaches. However, security isn’t the whole story; they also have to prove compliance with strict government and industry regulations for protecting customer and corporate data. Cato already simplifies this challenge by proving compliance with ISO27001 and the European Union’s GDPR. This year we added compliance with another standard. The SOC 2 security standard was developed by the American Institute OF CPA’s (AICPA), defining requirements for protecting and managing customer data. Cato complies with SOC 2 audit requirements via annual audits by Ernst & Young based on AICPA’s Trust Services criteria. The past five years have been exciting for Cato as it grew, developed and promoted its vision of converged enterprise networking and security. As a year of validation, 2019 was the most exciting yet, with growth and innovation that set the stage for even bigger things in 2020 and the years ahead.

Where is Network Security headed in 2020?

Forbes’ recent cybersecurity predictions for 2020 cited an old quote from Cato Network’s co-founder Shlomo Kramer. Back in 2005, Kramer compared cybersecurity to Alice in... Read ›
Where is Network Security headed in 2020? Forbes’ recent cybersecurity predictions for 2020 cited an old quote from Cato Network’s co-founder Shlomo Kramer. Back in 2005, Kramer compared cybersecurity to Alice in Wonderland: you run as fast as you can just to stay in place. Almost 15 years later, the comparison applies perfectly to the state of network security. Despite the diligent effort of infosec professionals, new threats are emerging every day and news of breaches has become commonplace. So, after all the running we’ve done in the 2010s, where is network security headed in 2020? What WAN security solutions do enterprises need to protect their networks as we kick off the decade? Here, we’ll answer those questions, explain how Zero Trust Network Access (ZTNA) helps enterprises strengthen their security posture for more than just mobile users, and explore the benefits of managed threat detection and response (MDR). The Zero-Trust Approach Network security refers to the technology, policies, procedures, and strategies used to protect the data and assets within a network. In the late 1990s and early 2000s, the ”castle-and-moat” approach to cybersecurity was common. The premise is intuitive enough: if you secure the perimeter strongly enough, the entire network is secure. However, the dynamic nature of cloud computing, the security challenges posed by mobile users, and IoT (Internet of Things) have blurred the lines that define network perimeters and created new attack surfaces. Today, enterprises must be prepared to address a wide variety of attacks including social engineering attacks, Internet-borne malware, and ransomware across all the different attack vectors that exist within modern networks. As a result, many infosec experts now advocate for a zero-trust approach to network security. The idea behind zero trust is simple: don’t trust anything by default and only allow the minimum required access to network resources. Of course, implementing the zero-trust requires full network visibility and the ability to enforce granular policies across the WAN. Doing so effectively requires a network security system with the right tools and an agile Software Defined Perimeter (SDP). Network and Security Solutions to Address Modern Threats The tools required to secure a WAN can be implemented as hardware or software appliances or using a cloud-based security as a service model. With security as a service, enterprises can minimize the complexity of managing multiple appliances at scale as well as reduce capex. Further, with the cloud-native WAN infrastructure that supports the Cato Cloud, enterprises get security solutions baked-in to the underlying network. Network security tools that are part of Cato’s network infrastructure include: Next-generation firewall NGFW allows granular rules to be implemented that can control access based on network entities, traffic type, and time. Additionally, a Deep Packet Inspection (DPI) engine enables contextualization of traffic. NGFW also supports the creation of custom application definitions to enable identification of specific apps based on TCP/UDP port, IP address, or domain. Secure Web Gateway SWG helps mitigate social engineering attacks like phishing and protects against Internet-borne malware. SWG focuses on layer 7 traffic exclusively and inspects inbound and outbound flows. URL filtering prevents users from accessing restricted sites while connected to the WAN, which adds an additional layer of protection in the event a user is tricked into clicking a malicious link. Next-generation anti-malware The Cato Cloud uses signature and heuristic-based inspection engines to detect malware and protect against known threats. Further, Cato’s partnership with endpoint protection solutions provider SentinelOne brought industry-leading AI-based anti-malware technology to the Cato Cloud. What is unique about the SentinelOne solution is its ability to identify threats without a signature, making it highly effective against zero-day malware. Intrusion Prevention System IPS is a fully-managed cloud based solution supported by Cato’s Security Operations Center (SOC). The IPS protection engine is contextually aware and fine-tuned to avoid false positives and deliver protection without sacrificing performance. Cato’s IPS uses metadata from network traffic flows and third-party data feeds in conjunction with machine learning algorithms to detect suspicious network activity. As a result, it can block malicious IP addresses based on reputation, validate packet protocol conformance, protect against known vulnerabilities, adapt to new vulnerabilities, prevent outbound traffic to command and control servers, and detect bot activity. The importance of ZTNA In order to effectively implement zero-trust policies, enterprises need to be able to restrict network access at a granular level. ZTNA allows enterprises to do just that. However, there are multiple approaches to Zero Trust Network Access. ZTNA point solutions often require specialized cloud gateways or additional software and services. Additionally, they generally require mobile users to connect to resources across the public Internet, which can significantly impact performance. Cato’s ZTNA addresses these issues because it's integrated into the underlying network. No additional software or hardware is required, and mobile traffic is optimized across Cato’s global private backbone. How MDR Compliments a Network Security System Even with a robust network security system in place, some enterprises prefer to offload the skill-dependent and resource-intensive process of detecting compromised nodes to a trusted provider. With Cato’s Managed Detection and Response services, enterprises benefit from the expertise of the Cato SOC when detecting and responding to breaches. With Cato MDR, enterprises gain expert threat verification, remediation assistance, and quarterly reporting and tracking in addition to automated threat hunting and containment features. This allows enterprises to free up resources to focus on core business activities instead of complex infosec tasks. Network security for digital businesses requires a holistic approach There is no silver bullet when it comes to network security. To build and maintain a strong security posture, enterprises need to take a converged approach to networking and security. This means being proactive, implementing zero-trust across the network, and leveraging modern security solutions like NGFW, IPS, and SWG. To learn more about how Cato converges network and security infrastructure, read the Advanced Security Services whitepaper or contact our team of experts today.

SD-WAN vs Hybrid WAN

Most enterprise WANs have historically used MPLS, but with the proliferation of cloud resources and mobile users, organizations are realizing the need to facilitate more... Read ›
SD-WAN vs Hybrid WAN Most enterprise WANs have historically used MPLS, but with the proliferation of cloud resources and mobile users, organizations are realizing the need to facilitate more flexible connectivity. They are faced with many options when making this decision, but one of the first that must be considered is whether to go with a hybrid WAN or SD-WAN. With a hybrid WAN, two different types of network services connect locations. Usually, one network service is MPLS while the other is typically an Internet connection. While some enterprises will have an active MPLS connection with an Internet/VPN connection for failover, hybrid WAN actively uses both connections. Hybrid WAN – Pros and Cons Pros of Hybrid WAN Hybrid WAN configurations allow for easy increase in bandwidth by inserting Internet connections alongside an existing MPLS network. Offloading traffic from MPLS allows for reductions in monthly bandwidth costs and to turn up new installations faster by leveraging indigenous Internet access link. Regulatory constraints mandating MPLS can continue to be met. Hybrid WAN takes advantage of the reliability, security, and SLA-backed performance of MPLS connections, yet limits the expense of these connections by augmenting connectivity with Internet connections that are cheaper and more versatile. In some cases, these Internet links can help improve performance for traffic that is not destined for the datacenter as it can reduce the number of hops that can occur when backhauling through the datacenter. Cons of Hybrid WAN The question is whether organizations can ever eliminate MPLS costs with Hybrid WANs. The public Internet is too erratic for global deployments requiring the continued use of costly, international MPLS connections. Companies are still left with having to wait months to provision new MPLS circuits. In addition, maintaining distinctly separate WAN connection transports adds an administrative burden and can create appliance sprawl. Finally, Hybrid WANs aren’t designed with Cloud and mobile communications in mind, requiring additional strategies for securing and integrating these connections into the enterprise. SD-WAN – Pros and Cons Pros of SD-WAN By replacing an MPLS network with SD-WAN, there can be a significant cost saving while still maintaining the performance required for today’s applications. Unlike MPLS, with SD-WAN customers can easily add new circuits or increase the bandwidth of existing circuits with little impact on the network configuration. By utilizing multiple low-cost, high-bandwidth circuits, SD-WAN can meet the performance and reliability organizations require. Organizations can select transport types that provide the best value for each location and still connect seamlessly to the rest of the WAN. In addition, because SD-WAN is compatible with multiple transport types, provisioning of new or additional services is much faster than MPLS. Cons of SD-WAN Out of the gate, SD-WAN has several challenges that involve security, global locations, and mobile user connectivity. Because public Internet connections are used for SD-WAN, and there is no need to backhaul to the secured datacenter, the traffic is no longer secured. For connectivity to some global locations, routing and response times can be unpredictable. However, oftentimes locations that have difficulties getting reliable Internet have less than ideal MPLS connectivity. For many organizations, connectivity for mobile users and to the cloud is a driving force for change in the WAN infrastructure. But to have access to the cloud with SD-WAN, a separate cloud connection point is required, and mobile users are not addressed in a standard SD-WAN solution Making the Choice There are SD-WAN providers that have taken the best of both worlds by combining the advantages of SD-WAN while overcoming the challenges of a vanilla SD-WAN solution. That means the predictability and performance like MPLS while also offering an integrated firewall-as-a-service that makes firewall services available to all locations. In this case, the entire WAN is connected to a single, logical firewall with an application-aware security policy that allows for a unified security policy and a holistic view of the entire WAN. The other challenges such as cloud and mobile are also resolved with SD-WAN-as-a-service offerings. When comparing hybrid WAN to SD-WAN, the decision for most organizations comes down to whether they feel MPLS can be replaced. With the dramatic improvement of Internet performance, unless there are specific locations that have poor Internet connectivity, an enterprise should feel confident that an SD-WAN solution can meet the demands while also providing cost and agility advantages over MPLS or hybrid WAN. If a business has a scenario where they feel MPLS is a must, then a hybrid WAN solution can be employed.    

Network Optimization Techniques for the Modern WAN

A recent conversation with a WAN engineer got me thinking about how network optimization techniques have changed over the years. Optimization has always been about... Read ›
Network Optimization Techniques for the Modern WAN A recent conversation with a WAN engineer got me thinking about how network optimization techniques have changed over the years. Optimization has always been about overcoming latency, jitter, packet loss, and bandwidth limitations. However, in recent years bandwidth has become much less of an issue for most enterprises. Lower dollar-per-bit costs of bandwidth and apps that incorporate data duplication and compression are big drivers of this shift. Edge computing is growing in popularity and the real WAN optimization challenges enterprises face relate to reducing RTT (round trip time), packet loss, and jitter to ensure high QoE (Quality of Experience) for services like UCaaS (Unified Communications as a Service). At a high-level, this means overcoming latency across the middle mile and addressing jitter and packet loss in the last mile. Traditional WAN optimization tools do little to help address these challenges, as they’re simply designed to reduce bandwidth consumption. Fortunately, Cato Cloud offers enterprises a suite of network optimization tools that can. But how do these network optimization techniques work and what can they do for your WAN? We’ll answer those questions here. Middle-Mile Network Optimization Techniques: Reducing Latency In the past, MPLS provided enterprises with low-latency, albeit expensive, connectivity between sites. As such, sites were often connected by the minimal amount of necessary capacity. WAN optimization appliances emerged to solve that problem, providing the means to extract the maximum usage out of available MPLS capacity. However, the shift to a cloud-first, mobile-centric enterprise undermined the value of WAN optimization appliances. With more assets in the cloud, branch offices were required to send traffic back to the secure Internet gateway in the datacenter.  The so-called trombone effect meant that latencies across MPLS network to the cloud were often worse than accessing the same cloud assets directly over inexpensive DSL lines.  WAN optimization appliances couldn’t fix that trombone problem. Furthermore, their ability to extract value out of every bit of capacity became less relevant when with Internet prices offices could have 20x more capacity than they did with MPLS.  Finally, the form factor — a physical appliance — was increasingly incompatible where users worked out of the office and the data lived in cloud, two places where installing an appliance was difficult if not impossible.  Appliance-based SD-WAN and Internet-based VPN provided an alternative to MPLS, but there were tradeoffs. For example because of the problems with the public Internet, they couldn’t reliably provide the same low latency performance as MPLS. They too faced the “form factor” problem. Cato Cloud solves these problems by providing a “best of both worlds” approach to WAN optimization. The converged nature of Cato’s Secure Access Service Edge (SASE) model makes cloud connectivity and mobile support possible without inefficient backhauling. Further, Cato provides a global private backbone with a 99.999% uptime SLA that delivers performance that meets or exceeds MPLS for most use cases. This backbone consists of 50+ Points of Presence (PoPs) interconnected by multiple, Tier-1 providers. Traffic is optimally routed across these providers to ensure low-latency WAN connectivity across the globe. End-to-end route optimization and self-healing are built into the underlying cloud-native network to deliver high-performance connectivity in the middle mile. Additionally, Cato’s cloud-native network stack leverages network optimization techniques and tools like TCP proxies and advanced congestion management algorithms to improve WAN throughput. Just how effective is Cato Cloud at optimizing the middle mile? Stuart Gall, Infrastructure Architect at Paysafe, can speak to that: “During our testing, we found latency from Cambridge to Montreal to be 45% less with Cato Cloud than with the public Internet, making Cato performance comparable to MPLS”. You can read more about how Paysafe replaced MPLS and Internet VPN with Cato here. Last Mile Network Optimization Techniques: Compensating for Packet Loss and Jitter While latency is primarily a middle-mile problem, link availability, packet loss, and jitter are common WAN performance challenges in the last mile. Cato Cloud enables WANs to mitigate these last mile problems using several network optimization techniques, including: Packet Loss Mitigation By breaking the connection into segments, Cato reduces the time to detect and recover lost packets. Where connections are too unstable Cato duplicates packets across active active connections for all or some applications.  Active/active link usage Cato’s SD-WAN connects and manages multiple Internet links, routing traffic on both links in parallel. Using active-active, customers can aggregate capacity for production use instead of having idle backup links.  Brownout Mitigation In case packet loss jumps, Cato automatically detects the change and switches traffic to the alternate link. When packet loss rates improve to meet predefined thresholds, traffic is automatically returned to primary links.  TCP Proxy with Advanced Congestion Control Each Cato PoP acts as TCP proxy server, “tricking” the TCP clients and servers into “thinking” their destinations are closer than they really are, allowing them to set larger TCP windows. In addition, an advanced version of TCP congestion control allows endpoints connected to the Cato Cloud to send and receive more data and better utilize the available bandwidth. This increases the total throughput and reduces the time needed to remediate errors. Dynamic Path Selection and Policy-Based Routing (PBR) Cato classifies and dynamically allocates traffic in real-time to the appropriate link based on predefined application policies and real-time link quality metrics.  Just how effective are these features in the real world? RingCentral testing has shown Cato Cloud can deliver high-quality voice connectivity across Internet links with up to 15% packet loss. Cloud Network Optimization Techniques: Optimal Egress & Shared Datacenter Footprint With so many workloads residing in the cloud, low latency connectivity to cloud service provides has become a major part of network optimization for the modern enterprise. Often, this entails purchasing expensive premium connections like AWS DirectConnect or Azure ExpressRoute.  With Cato, premium connectivity is built into Cato Cloud. Cato PoPs are often in the same physical datacenters as the entrance points to cloud datacenter services, such as AWS and Azure. The latency from Cato to the cloud datacenter is often a matter of just hopping across the local network. Latency to the designated PoP is minimized by Cato’s intelligent routing. Further, by using advanced congestion management algorithms and TCP proxies, Cato optimizes throughput for bandwidth-intensive operations such as large file transfers.  But how much of a difference can Cato actually make? Cato’s cloud acceleration can improve end-to-end throughput to cloud services by up to 20 times and more. Cato Cloud Modernizes WAN Optimization As we’ve seen, Cato Cloud’s multi-segment WAN optimization approach enables enterprises to address the challenges facing network engineers today. By taking a holistic approach to optimization, enterprises can improve QoE for cloud, mobile, and on-premises regardless of WAN size. To see the benefits of Cato Cloud in action, hear how Cato improves voice quality by checking out our SD-WAN & UCaaS- Better Together webinar or try this SD-WAN Demo. If you have questions about how to best optimize your WAN, contact us today.

Network & Firewall Security for the Modern Enterprise

Edge computing and the distributed cloud both cracked Gartner’s Top 10 Strategic Technology Trends for 2020, reminding me of a recent discussion on the challenges... Read ›
Network & Firewall Security for the Modern Enterprise Edge computing and the distributed cloud both cracked Gartner’s Top 10 Strategic Technology Trends for 2020, reminding me of a recent discussion on the challenges enterprises face when securing the modern WAN. Traditional firewall security simply can’t keep up with the challenges created by these new network paradigms. As a result, when I discuss firewall security with enterprises today, there are three reoccurring themes: visibility, scalability, and convergence. Next-Generation Firewall (NGFW) appliances help solve these problems, but deploying multiple appliances adds significant complexity and creates operational and security challenges of its own. Fortunately, when converged with the larger network infrastructure, cloud-based firewalls, or Firewall-as-a-Service (FWaaS), can address these challenges. So, how exactly can enterprises seamlessly integrate security to their networks without adding unnecessary complexity? Let’s find out. The Basics of Firewalls Before we dive into the challenges of appliance-based firewalls and benefits of FWaaS, let’s look at some of the basics of modern firewalls. Traditionally, firewalls were used to block or allow network traffic based on predefined rules. They could effectively block ports, isolate network segments, and enable basic enforcement of security policies. This same basic premise holds true for firewalls today, but the dynamic nature of modern enterprise networks has created a need for more flexible, granular, and intelligent firewall security. Three Main Types of Firewall Software and Appliances So, what sort of firewall software and appliances exist to meet these demands? In addition to the software-based endpoint firewalls that can run on network endpoints, there are three main firewall appliance types enterprises can deploy. Packet-filtering firewalls Traditional firewalls that block traffic at the protocol, port, or IP address levels. Stateful firewalls Like packet-filtering firewalls with the added benefit of analyzing end-to-end traffic flows. Next-Generation Firewalls (NGFWs) Offer all the functionality of stateful firewalls plus features such as deep-packet inspection (DPI), Intrusion Detection System/Intrusion Prevention System (IPS/IDS), anti-virus, and website filtering. Given the sophistication of modern security threats, NGFW appliances are commonplace within modern WANs, and for good reason. They’re able to detect malicious behavior and provide protection legacy firewall security solutions can’t. However, there are still several pain points enterprises face with physical and virtual firewall appliances. The Shortcomings of Firewall Appliances The problem with firewall appliances stems from the fact that appliances inherently require distributed deployments across sites. NGFWs are just one of a number of network appliances that enterprises must maintain, and integrating them at scale comes with challenges including: Blind spots & reduced visibility Since appliances are tied to a single location, they can only inspect data flows that go through them. This leads to one of two suboptimal outcomes: appliance sprawl or inefficient backhauling to have traffic routed through specific appliances for auditing. Further, since appliances are scattered throughout the network, as opposed to integrated with it, blind spots can become a real challenge. Limited scalability NGFWs and UTMs have a limited amount of capacity to run engines for anti-malware, IPS, and secure web gateway (SWG). These resource constraints can lead to some functionality being sacrificed, create bottlenecks, or require additional appliances to be deployed. Silos & disjointed security policies Multiple appliances and security solutions for cloud, mobile, and on-premises lead to communications silos between teams, limit visibility, and prevent the implementation of consistent security policies across the network. Complex and resource-intensive maintenance Maintaining and patching a network of firewall appliances leads to a significant IT workload that doesn’t drive core business forward. Installations, configurations, upgrades, integrations, and patch management take time and divert resources from activities that could add business-specific value. Integrating Firewall Security: Firewall as a Service and the Secure Access Service Edge Cato solves this problem by providing FWaaS, with all the functionality of an enterprise-grade application-aware NGFW, as a part of a broader holistic approach to networking and security known as Secure Access Service Edge (SASE). Because Cato’s SASE platform integrates the networking and security functionality that used to require multiple different appliances into a multitenant cloud-native infrastructure, the fundamental problem associated with NGFW appliances goes away. As a result, enterprises can implement network & firewall security that provides: Complete visibility As all WAN traffic on the Cato Cloud traverses the cloud-native infrastructure, there are no blind spots and no need for backhauling. Multiple security engines and DPI are baked-in to the network. Unrestricted scalability The Cato Cloud provides the unrestricted scalability of a cloud service to the WAN. Not only does this eliminate capex and ensure security isn’t sacrificed due to limited capacity, it means deployments that may have otherwise taken days or weeks can occur in minutes or hours. Enterprise-wide policy enforcement A converged software stack and mobile clients ensure that all users benefit from the same level of security and policies span the entire network. Simple maintenance and management Because the entire security stack is integrated into a single solution, maintenance and management are a fraction of what they were with firewall appliances. This leads to reduced costs and more resources to dedicate to business-specific tasks that can positively impact the bottom line. Cato’s SASE Platform Integrates Networking and Security at Scale In short, the Cato SASE platform delivers firewall security in a scalable, holistic, and future-proof manner. Not only does the Cato cloud solve the challenge of securing the distributed cloud and edge computing deployments common to the modern digital business, it does so while enabling IT to focus less on busy work and more on core business functions. Case in point: according to Todd Park, Vice President, W&W-AFCO Steel, “Cato firewall is much easier to manage than a traditional firewall and the mobile client was much easier to deploy and configure than our existing approach” after W&W-AFCO Steel replaced Internet-based VPN and firewall appliances with Cato Cloud. You can learn more about securing modern enterprise networks in our Advanced Security Services whitepaper. Additionally, be sure to subscribe to our blog for the latest on SD-WAN, networking, and IT security. If you’d like to discuss the Cato platform with one of our experts or schedule a demonstration, don’t hesitate to contact us.

What are VPN Tunnels and How do They Work

Virtual Private Networks (VPNs) have become one of the cornerstones of secure communications over the internet. However, there has been a lot of confusion around... Read ›
What are VPN Tunnels and How do They Work Virtual Private Networks (VPNs) have become one of the cornerstones of secure communications over the internet. However, there has been a lot of confusion around what VPNs can and cannot do. That confusion has led many technologists to choose a VPN solution that may not be well suited for their particular environment. However, that confusion can be quickly eliminated with a little bit of education, especially when it comes to VPN Tunnels. One major concern around VPNs is the issue of how secure they are. In other words, can VPNs fully protect the privacy and content of the data being transmitted? Related content: read our blog on moving beyond remote access VPNs. What is a VPN Tunnel? Before one can fully grasp the concept of a VPN Tunnel, they have to know what exactly what a VPN is. VPNs are a connection method used to add security and privacy to data transmitted between two systems. VPNs encapsulate data and encrypt the data using an algorithm contained within the transmission protocol. VPN traffic is encrypted and decrypted at the transmission and receiving ends of the connection. Today’s VPNs primarily use one of the three major protocols, each of which has its advantages and disadvantages: PPTP is one of the oldest protocols and came into existence back in the days of Windows 95. PPTP proves to be one of the easiest protocols to deploy and is natively supported by most major operating systems. However, PPTP uses what is known as GRE (Generic Routing Encapsulation), which has been found to have vulnerabilities. In other words, PPTP may be easy to set up, but it’s security is the weakest of the common VPN protocols. VPNs can also be set up using L2TP/IPsec protocols, which proves to have much stronger encryption than PPTP. L2TP/IPsec are actually a combination of two secure protocols that work in concert to establish a secure connection and then encrypt the traffic. L2TP/IPsec is a little more difficult to setup than PPTP, and can add some latency to a connection. Another protocol that is gaining favor is OpenVPN, which is based upon SSL (Secure Sockets Layer) for it’s encryption protocol. OpenVPN is open source and freely available. However, OpenVPN requires a certificate, which means users of the protocol may have to purchase a certificate from a certificate authority. Regardless of which protocol you choose, VPNs need to “Tunnel” the data between the two devices. So, in essence, a VPN Tunnel is the actual connection mechanism, it is the data link that surrounds the encrypted traffic and establishes a secure connection. Why Use a VPN Tunnel? VPNs have become an established method to ensure privacy, protect data, and are becoming very popular among internet users. Many organizations are now offering VPNs for private use, with the primary goal of protecting Internet users’ privacy. The way these services work is by offering a VPN host, which the end user connects to via a piece of client software on their device. All of the traffic between the device and the host is encrypted and protected from snooping. In other words, ISPs, broadband service providers, and any other entity that exists between the client and the host can not see the data that is in the VPN Tunnel, which preserves privacy. While personal privacy is naturally a major concern, businesses and organizations should also be focused on privacy and protecting data. Organizations that have multiple offices or remote workers should also be encrypting and protecting data. Today’s businesses are transmitting proprietary information, intellectual property, and perhaps even customer data across the internet. Many businesses are also bound by compliance regulations, directing those businesses to protect customer privacy, as well as other data. However, VPNs may not be the best solution for all businesses. Simply put, VPN Tunnels are still subject to man in the middle attacks and the interception of data. While encryption may be very hard to break, it is not completely impossible. What’s more, in the not-too-distant future, Quantum Computers may be able to crack any of the existing encryption methodologies in a matter of minutes. That means those concerned with keeping data secure will have to look beyond the VPN Tunnel.   Establishing Security Beyond VPN Tunnels: Arguably, the best way to prevent data from being intercepted over the internet is not to use the internet at all. However, for the majority of organizations that is simply not feasible. The internet has become the connective tissue between businesses sites and is a necessity for transmitting email, data files, and even web traffic. However, enterprises can still secure their data communications and encrypt critical data without the risk of interception by using SD-WAN technology. A Software Defined Wide Area Network can be used to establish connection privacy between sites. SD-WANs bring forth concepts such as VLANs (Virtual Local Area Networks) that can communicate across an SD-WAN platform to establish secure connections. What’s more, SD-WANs can incorporate a full security stack, meaning that all traffic is examined for malware, intrusion attempts, and any other malicious activity. SD-WANs also prove easier to manage than multiple VPN clients and servers and offer the flexibility to adapt to changing business needs. SD-WAN: The Future of Secure Connectivity SD-WAN technology allows users to manage and optimize their wide area networks, reducing costs and creating a virtual overlay on top of many different transport mechanisms. SD-WAN technology, as offered by Cato Networks supports multiple transport protocols, such as cable broadband, DSL, fiber, 4G, 5G, satellite and any other TCP/IP transport mechanism. The Cato implementation of SD-WAN eliminates the need for multiple point solutions, dedicated hardware firewalls and so on. Cato’s offering also eliminates the need for traditional, dedicated VPN solutions, by replacing the VPN with a secure SD-WAN. To learn more about Cato Networks, please feel free to contact us and to learn more about SD-WAN solutions, please download the Cato Networks WhitePaper.  

SD-WAN Confessions: How One Company Migrated from MPLS to SD-WAN

Nick Dell is an IT manager who recently led a network transformation initiative at his company, moving from MPLS to SD-WAN. Dell shared why he... Read ›
SD-WAN Confessions: How One Company Migrated from MPLS to SD-WAN Nick Dell is an IT manager who recently led a network transformation initiative at his company, moving from MPLS to SD-WAN. Dell shared why he made that transition and the lessons he learned along the way in the webinar SD-WAN Confessions: How I migrated from MPLS to SD-WAN. We’ve also summarized his experiences here. The company Dell works for is a leading manufacturer in the automotive industry and has nine locations and more than 2000 employees. The company has critical ERP and VoIP applications that run in the cloud. When Dell started with the company, there was an MPLS network where the provider placed three cloud firewalls at different datacenters. “We were promised, if one firewall goes down, the system will failover to the other, and each location will have LTE wireless backup,” says Dell. “The provider also committed to managing everything on our behalf.” Issues arose about a year into the MPLS contract. One problem stemmed from overuse of the bandwidth at certain peak times, prompting the need for more bandwidth. A more serious issue was the planned failover processes weren’t working as expected, causing system outages. “We were supposed to be connected to the Internet at all times and this just wasn’t the case,” laments Dell. “People couldn't record production; they couldn't ship trucks. It was a big problem affecting our business.” And the problems began to mount. “We needed connectivity to our OEMs, and our vendor could not get a simple VPN tunnel from the cloud firewalls to our customer. We got so frustrated, we just abandoned it,” says Dell. “We couldn't even get fiber at some locations when we needed more bandwidth. It made us realize that not all carriers can get everything you need in certain areas." Mobility was another issue. “We were getting blocked switching from wired to wireless, and they couldn't fix it without an additional investment in new software plus agents on our laptops,” he says. That’s when they began looking for an alternative to their existing WAN. Considering the Options for SD-WAN Dell’s team spent six months to a year looking at their options for SD-WAN. They considered a carrier-managed SD-WAN solution with their current provider, using SD-WAN appliances that Dell’s company would own. “We quickly eliminated this option because that provider couldn’t deliver on the connectivity solution we already had from them. I couldn’t trust them to manage the SD-WAN,” says Dell. Next they considered self-managed SD-WAN, where Dell’s company owned and managed the equipment purchased from their same MPLS vendor. This approach had a lot of up-front costs, and the cost to assure high availability (HA) was unreasonable. A third option was to get a cloud solution from an MSP. “We wouldn't have the direct SD-WAN solution, and some of the features for security were not built in. I'd have to go out to third parties for Internet filtering. And again, there was a limited HA discount, and I couldn't get guaranteed four-hour response time,” says Dell. Carrier-managed SD-WAN The same poorly managed service Ticket takers, not problem solvers Limited HA discount Device replacement took too long SD-WAN Appliance Expensive Box sellers Full security not built-in Limited HA discount Device replacement took too long SD-WAN Cloud (MSP) SD-WAN not their core business Not direct with SD-WAN Full security not built-in Limited HA discount Device replacement took too long The Company Chooses Cato SD-WAN Next, the company considered Cato’s cloud-based SD-WAN. “There’s a lot of functionality there that really helps our business,” says Dell. “It was one of the best IT decisions we've made. It really changed the way that we do things. Cato really has the vision for the next generation of networking and security.” Cato Cloud SD-WAN All network resources on a single network Full stack of built-in, cloud-based security services Global network of PoPs interconnected by multiple tier one carriers Traffic optimization across the network Support for cloud and mobility Full network visibility Unified security policy Fully managed, co-managed, self-managed service “With Cato, we are able to go out to any ISP that we want to use. We aren’t locked into who the telco has relationships with, as with the MPLS,” says Dell. “I was able to get fiber at all our locations, and in some cases, at a third of the cost, by going with another provider. We have five to 20 times the bandwidth, and we now have robust, redundant Internet. We actually have a hot spare at each location. QoS actually works, we don't get calls about being blocked from the Internet anymore, and failover works like it is supposed to.” “As for deployment, the cutover was easy. We did one site over a 30-minute lunch break—that’s how easy it was,” says Dell. “They worked with us to resolve an issue we initially had with user authentication and they had it fixed within a few weeks.” Cato makes HA affordable. “They weren't trying to cash in on another device or get double their monthly fee. They are the only ones that I felt weren’t trying to make a ton of money off HA,” Dell says. Benefits Abound with Cato Dell says Cato support is amazing. “They are always there to answer our questions. I can get support via a webpage, I can call them, I can email them, and when I get ahold of a technician, they don’t take out a ticket and pass this up to tier two or tier three. 95 percent of the time they're on the phone, they're helping me, they're seeing a problem or fixing it or just solving the problem right then and there. Dell’s team collected some network performance metrics. “Even with our best MPLS circuit, we had peak response times of 106 msec. On our worst MPLS circuit, response time peaked at 302 msec. With Cato it averaged about 26 msec. Our users immediately saw the difference when working with the ERP system. They told us, ‘Whatever you did was amazing.’" Dell says the voice quality for the VoIP service has been great. “Cato, with the quality of service, has really brought us to the next level.” Cato also improved the company’s ability to do full backups during the day because there is sufficient bandwidth to do this and not impact end users at all. ROI was basically immediate, according to Dell. “We were able to cutover all our circuits within 60 days, and that cost savings was seen on day one. I would say it was less than six months to break even, and then we were saving money after that. I look at my monthly saving of over $2,000-$3,000 and the 5 to 20 times the bandwidth that we increased everywhere. The performance increase was huge and the ROI was pretty much instantaneous. Dell provides an FAQ document that illustrates the important questions to ask yourself to help you decide on the right SD-WAN solution for you. For more details about this SD-WAN migration effort, watch the webinar here.

Why is SD-WAN Considered a Top Choice Among VPN Alternatives?

AdRoll’s Global Director of IT Adrian Dunne faced several challenges when attempting to scale the company’s Internet-based VPNs. Network performance, security, and redundancy all became... Read ›
Why is SD-WAN Considered a Top Choice Among VPN Alternatives? AdRoll’s Global Director of IT Adrian Dunne faced several challenges when attempting to scale the company’s Internet-based VPNs. Network performance, security, and redundancy all became major issues as AdRoll grew, prompting Dunne to search for a VPN alternative. What struck me most about AdRoll’s use case was that it was a microcosm for the issues so many enterprises face with VPN. Often, VPNs makes sense at a small scale or for one-off applications. However, as enterprises grow and networks become more complex, VPN’s shortcomings far outweigh the benefits. Like AdRoll, many modern enterprises are learning that the scalability, security, and reliability of cloud-based SD-WAN make it an ideal VPN alternative. So, what makes SD-WAN such an attractive VPN replacement? Use Cases for VPN Before we dive into the shortcomings of VPN, let’s review what makes it attractive to some enterprises in the first place. Internet-based VPN gained popularity over the last decade in part as a lower-cost, albeit flawed, alternative to MPLS (Multiprotocol Label Switching). Site-to-site VPNs enable enterprises to securely connect physical locations over the public Internet by creating an encrypted connection between two on-premises appliances. The upside here was simple: public Internet bandwidth is significantly cheaper than MPLS bandwidth. For the mobile workforce, remote-access VPNs allow employees to access WAN resources from home-offices, hotels, and mobile devices using VPN client software. Where VPN Comes Up Short So, if VPNs can connect multiple locations securely and at a lower cost than MPLS, what are the downsides that lead to so many enterprises searching for VPN alternatives? There are quite a few, including: Appliance sprawl With Internet-based VPN, physical or virtual appliances must be installed at each location. Not only does this increase opex, but it also adds significant complexity to network infrastructure and creates bottlenecks when provisioning new sites. Further, appliance refreshes erode the initial cost savings VPN solutions promise. Complexity increases as you grow Related to the issue with appliance sprawl, is the complexity of configuring VPN tunnels at new location. As you add more locations to your network, tunnels need to be defined to each existing location. Very quickly the sheer complexity of setting up the VPN becomes too time consuming for many IT professionals. Increased attack surface While it is true that VPN uses secure protocols like IPsec (IP Security) and TLS (Transport Layer Security) to tunnel traffic, a lack of granular security controls can lead to unnecessary risk. For example, AdRoll users who only required access to web applications could use SSH to connect to the company’s routers. WAN performance Remote-access VPNs require client devices to connect to on-premises UTM (Unified Threat Management), firewall, or VPN appliances. Doing so can add significant latency and impact the performance of applications such as VoIP, telepresence, and video streaming. VPN appliances themselves also have limited bandwidth, which can lead to these appliances becoming WAN bottlenecks. Additionally, traffic that must traverse large geographical distances over the public Internet often experiences unacceptable latency levels. Limited network visibility With VPN, enterprises are often left in the dark when it comes to a large chunk of their data flows. With mobile workforces, this becomes an even bigger challenge. Often, mobile users connect directly to services like Office 365, limiting corporate oversight and auditing capabilities. Unpredictable and unreliable service Internet-based VPN is inherently reliant on the public Internet. With the lack of SLAs and underlying fundamental problems with Internet routing, this means enterprises that choose Internet-based VPN must sacrifice some level of service reliability. How Cloud-Based SD-WAN Addresses VPN Challenges With the rapid evolution of enterprise networking, enterprises are realizing that the tradeoffs associated with VPN simply aren’t worth it. A shift towards SaaS-based architectures, mobile workforces, and latency sensitive applications like UCaaS (Unified Communications as a Service) make scalable, agile, and secure WAN connectivity a must. Cato’s cloud-based SD-WAN meets these demands and addresses the shortcomings of VPN. With Cato Cloud, enterprises get: Scalable, cloud-native infrastructure With a converged, cloud-native network infrastructure, Cato Cloud enables enterprises to provision new sites in minutes as opposed to days and eliminates the need for the majority of on-premises appliances. Nor do IT pros need to configure tunnels between locations. All of which reduces operational expenses (opex) and brings the hyper-scalability of the cloud to the WAN. Granular policy enforcement A full cloud-native security stack with features like NGFW (Next-generation firewall) enables granular policy enforcement for all users and applications. Enterprises can enforce policies down to the application and user level. Optimized WAN performance Cato’s global private backbone addresses latency in the middle-mile. Features like active/active failover, Intelligent Last Mile Management (ILMM), and dynamic path selection help optimize WAN performance in the last-mile as well. Further, Cato’s mobile client eliminates the need for the inefficient backhauling associated with remote-access VPN. Additionally, the scalability of the cloud eliminates the issue of on-premises appliances creating a bottleneck. The result? WAN performance that far outstrips VPN. Case in point: Cato customer Paysafe found that Cato Cloud had 45% less latency than Internet-based VPN. In-depth network visibility The cloud-native security stack built-in to the Cato cloud enables application and user-level visibility to network data flows. This holds true for mobile users and cloud applications as well. In fact, Adrian Dunne and the AdRoll team gained deeper insight into cloud usage with Cato. According to Dunne, “Now we can see who’s connecting when and how much traffic is being sent, information that was unavailable with our previous VPN provider…correct oversight and monitoring of logs ties directly into the bigger security conversation.” Reliable, SLA-backed performance Cato’s private backbone is connected by multiple Tier-1 ISPs (Internet Service Providers) and backed by a 99.999% uptime guarantee. With 45+ PoPs (Points of Presence) across the globe, Cato’s backbone delivers reliable and predictable performance on a global scale. Additionally, a shared datacenter footprint with major cloud service providers enables optimal egress for cloud traffic eliminating the need for services like AWS Direct Connect. SD-WAN Provides Enterprises with a Modern VPN Alternative While VPN can address select small-scale WAN use cases, it simply isn’t designed to meet the demands of the modern digital business. By taking a converged, scalable, and secure approach to WAN connectivity, cloud-based SD-WAN serves as the ideal VPN alternative and enables enterprises to get the most out of their networks. If you’d like to learn more about how to modernize and optimize your WAN, contact us. If you’d like to see Cato Cloud in action, you’re welcome to sign up for a demo.

What is Network Visibility?

When I read that less than 20% of IT professionals indicated their organizations can properly monitor public cloud infrastructure, it reminded me of the reoccurring... Read ›
What is Network Visibility? When I read that less than 20% of IT professionals indicated their organizations can properly monitor public cloud infrastructure, it reminded me of the reoccurring network visibility conversations I have with network managers from around the globe. The dynamic and distributed nature of cloud workloads coupled with a mobile workforce make avoiding shadow IT and achieving granular visibility of network flows challenging for many enterprises. Traditional VPN solutions enable connectivity for mobile and remote employees but do little to enable the same visibility and control possible on-premises. Routing traffic back through corporate headquarters for auditing isn’t a practical solution. Doing so hamstrings performance and limits the benefits cloud and mobile bring in the first place. Fortunately for enterprises, cloud-based SD-WAN solves this problem by making secure, monitored, and policy-enforced WAN connectivity possible across the globe, on-prem and in the cloud, without sacrificing performance. But what exactly makes cloud-based SD-WAN different? Before we answer that, let’s take a closer look at network visibility and explore the challenges cloud and mobile create. Network Visibility Defined Network visibility is the collection and analysis of traffic flows within and throughout a network. At the most granular, enterprises may strive to achieve visibility down to the packet, user, and application level. Worded differently, network visibility is what enterprises generally aim to gain from network and security monitoring tools. Granular network visibility brings several benefits to the enterprise. With in-depth network visibility, organizations can improve security through stricter policy enforcement, rapid detection of malicious behavior, and reduction in shadow IT. Additionally, network visibility can improve network analytics and application profiling. This, in turn, enables better reporting, more informed decision making, and improved capacity planning. Network Visibility Challenges Created by Cloud and Mobile One of the biggest challenges enterprises face with network visibility is addressing blindspots created by cloud and mobile. It is easy for an enterprise to fall into a false sense of security because they can view all the traffic traversing MPLS links. The problem is today enterprise WANs are a mix of MPLS, Internet-based VPNs, mobile users, and cloud services. Under those circumstances, traditional monitoring tools simply aren’t able to provide visibility across the entirety of the WAN. Traditionally, network visibility within the WAN has been made possible by SIEM (security information and event management) solutions and network management systems that aggregate packet flow data from multiple security and network monitoring tools such as security appliances, firewalls, and endpoint sensors. While these tools can be made to work effectively when traffic is restricted to the WAN, they begin to fall apart when cloud and mobile come into play. For example, endpoint sensors generally can’t run on mobile devices. Similarly, capturing application-level visibility on traffic to and from cloud datacenters becomes a major challenge. This is because each cloud platform often comes with its own set of security policies and protocols creating silos and blindspots within the network. The fact that traditional monitoring tools, like SNMP (Simple Network Management Protocol) and many agent-based solutions, simply don’t work in the cloud makes things worse. Further, because they can obscure the data from network sensors, Network Address Translation (NAT) and encryption reduce the usefulness of the sensors and can stifle packet inspection efforts. Another downside to the traditional approach to network visibility and packet inspection is that it is tied to physical or virtual site-specific devices such as Next-generation Firewalls (NGFWs), Secure Web Gateways (SWGs), and Unified Threat Management (UTM) appliances. Each location within the WAN requires its own set of appliances that must be sourced, provisioned, and maintained. The alternative is to backhaul all traffic to a central location on the WAN for inspection, which creates latency and impacts performance. As a result, the appliance-based approach to network visibility and security scales poorly. The more appliances an enterprise has, the more complex the network becomes. Appliances also inherently have capacity constraints that limit how much traffic can be inspected and analyzed without a hardware upgrade. Additionally, not only do appliances have to be provisioned and deployed, they have to be maintained, patched, and eventually replaced. As the enterprise grows, this can become a patchwork of applications with varying configurations, firmware revisions, and policies. The result is limited network visibility and potential security vulnerabilities created by oversight or policy deviations between sites. However, the best way to conceptualize the network visibility challenges facing the modern enterprise may be to consider the task of securely connecting mobile users to resources in the cloud. In this scenario, if enterprises wish to gain some level of visibility over the data flows, mobile users traditionally must connect via a VPN back to on-premises appliances for auditing and inspection. The traffic is then routed on to a local Internet access point or across the WAN to a centralized and secure Internet access point before making its way to its destination in the cloud. This approach creates significant impact on performance, making it unattractive to most enterprises. This is one of the reasons over half of the enterprises we surveyed reported they let mobile users connect directly to the cloud. Unsurprisingly, over half of the respondents also indicated that “lack of visibility and control” was their biggest challenge when it comes to providing mobile users access to business applications. How Cloud-Based SD-WAN Enables Complete Network Visibility As we can see, the traditional appliance-based approach left enterprises facing an unattractive tradeoff: sacrifice performance for some level of security and visibility or sacrifice network visibility in the name of performance. Cato’s cloud-based SD-WAN solves this problem by shifting the paradigm away from an appliance-based approach that is bound to physical locations. The reason Cato Cloud is different stems from its global SLA-backed private backbone and cloud-native network infrastructure that bakes security and monitoring into the network. The backbone consists of 45+ Point of Presences (PoPs) across the globe and Cato strives to have a PoP within 25 milliseconds of any Cato user. Within the Cato Cloud, the cloud-native network infrastructure provides the network security and monitoring features that used to require discrete on-premises appliances. As opposed to having network traffic routed through an on-premises appliance, mobile users can connect to the Cato Cloud using Cato’s mobile client. This enables secure and optimized mobile connectivity to cloud applications and WAN resources. Mobile users get the same protection and performance as they would on-premises. IT also benefits with this cloud-based approach to WAN connectivity. With Cato Cloud, network complexity is reduced while network visibility is increased, streamlining operations while enhancing security. Features that make this possible include: Next-generation Firewall (NGFW) Cato’s built-in NGFW functionality enables application-level awareness of network traffic without deploying multiple appliances. Unlike on-premises appliances, Cato’s NGFW provides enterprises the benefit of unlimited scalability and full traffic inspection without forced upgrades. Identity-Aware Routing In addition to enabling the business process, QoS (Quality of Service) and high-level policy abstraction, Cato’s revolutionary identity aware routing engine makes business-centric network visibility possible. IT can view activity and network flows at the site, group, host, and user levels to improve network planning. Managed Threat Detection and Response (MDR) Cato’s MDR offers enterprises zero-footprint network visibility by gathering complete metadata for all WAN and Internet flows without deploying any network probes. Cato Helps Enterprises Gain the Network Visibility Modern Enterprises Demand The takeaway here is simple: because Cato provides a converged WAN platform, it can provide granular network visibility in a simple and scalable manner. By shifting away from an appliance-based approach to WAN management, Cato brings the benefits of the cloud to the WAN. As a result, Cato customers are seeing benefits in the real world and improving network visibility and performance by making the switch to Cato Cloud. For example, after choosing Cato over appliance-based SD-WAN and MPLS, Nathan Trevor, IT Director at Sanne Group, was quoted as saying: “Now I can open a Web browser and see the state of connectivity for every single site globally. I can even see down to a single person and how much bandwidth (s)he is using. Cato is powerful beyond belief.” You can read more about Sanne Group’s use case in this case study. If you’d like to learn more about Cato Cloud or see it in action for yourself, contact us or schedule a demo today.

With the Issues Packet Loss Can Create on the WAN, Mitigation is a Priority

Network packets, the protocol data units (PDUs) of the network layer, are often taken for granted by network pros. We all get the concept: to... Read ›
With the Issues Packet Loss Can Create on the WAN, Mitigation is a Priority Network packets, the protocol data units (PDUs) of the network layer, are often taken for granted by network pros. We all get the concept: to transmit data over a TCP/IP network like the Internet requires the data be broken down into small packets (usually less than 1500 bytes) containing the relevant application data (“payload”) and headers. Routers forward these packets from source to destination and data encapsulation enables the data to traverse the TCP/IP stack. The problem arises when this process fails, and packet loss occurs. Packet loss is, intuitively, when some packets fail to reach their destination. Left unchecked, packets not reaching their destination can quickly become a major problem in an enterprise. When apps demand real-time data streams, even a relatively small amount of loss can create major problems. For example, Skype for Business connections MUST keep packet loss under 10% for any 200-millisecond interval and under 1% for any 15-second interval. That’s not much room for error, and similar requirements exist for other mission-critical VoIP (Voice over Internet Protocol) and telepresence app, making packet loss mitigation an enterprise priority. Let’s explore packet loss in more depth and explain how Cato can reduce it on the enterprise WAN. How Much is Too Much? When discussing WAN optimization, the question of “what is an acceptable level of packet loss?” comes up quite a bit. I’m not a big fan of labeling any level of packet loss as “acceptable”, although a dropped packet here or there isn’t a major concern. As a rule of thumb, random packet loss exceeding about 1% can noticeably degrade the quality of VoIP or video calls. As packet loss increases, calls get choppy and robotic, video cuts in and out, and eventually connections are lost. The surge in UCaaS (Unified Communications as a Service) popularity adds another wrinkle to the problem of packet loss. With voice and video services residing in the cloud, enterprises need a predictable low-latency connection to UCaaS providers like RingCentral, 8x8, and Telstra. In many cases, the public Internet is too unreliable for the job and MPLS (Multiprotocol Label Switching) is too inflexible and expensive. In addition to packet loss - latency, jitter, and security also become a concern with UCaaS. We deep dive on this topic in 4 Ways Cato is Perfect for UCaaS. Detecting Packet Loss Packet loss is calculated by measuring the ratio of lost packets to total packets sent. For example, in the ping output below, we see 1/5 of our packets did not make it to catonetworks.com, for a total of 20% packet loss. ping catonetworks.com -t Pinging catonetworks.com [203.0.113.2] with 32 bytes of data: Reply from 203.0.113.2: bytes=32 time=105ms TTL=56 Reply from 203.0.113.2: bytes=32 time=136ms TTL=56 Reply from 203.0.113.2: bytes=32 time=789ms TTL=56 Reply from 203.0.113.2: bytes=32 time=410ms TTL=56 Request timed out. Ping statistics for 203.0.113.2: Packets: Sent = 5, Received = 4, Lost = 1 (20% loss), Approximate round trip times in milli-seconds: Minimum = 105ms, Maximum = 789ms, Average = 360ms Tools commonly used to detect packet loss include: ping. This is the simplest tool to detect packet loss and can be effective for ad-hoc troubleshooting. However, since many firewalls block ICMP (Internet Control Message Protocol) and it has a low priority, ping isn’t always enough. tracert/traceroute. tracert (Windows) and traceroute (*nix) help identify the specific hop where packet loss begins. Network monitoring software. Software applications like SolarWinds Network Performance Monitor, PRTG, Nagios, and Zabbix can all help monitor for packet loss at scale. For enterprise WAN, Cato Cloud’s Intelligent Last-Mile Management (ILMM) continuously measures packet loss in the last-mile. Causes of Packet Loss Detecting packet loss is one thing, but knowing how to identify the root cause is another. Common causes of packet loss include: Routers with heavy CPU load. Routers have a finite amount of compute capacity, if the CPU load gets too heavy, packets can be dropped. Security breaches. Malware or Denial of Service (DoS) attacks can consume a significant amount of bandwidth and resources, leading to packet loss. Misconfigurations. Oftentimes, the cause of network outages is human error. The same holds true for packet loss. Misconfigured switches, routers, servers, or firewalls can lead to dropped packets. A textbook example is using half-duplex where full-duplex is needed or vice-versa. Network congestion. The more traffic there is on a network, the more likely packets are to be dropped before reaching their destination. Faulty hardware. Bad cables, routers, servers, and switches can all lead to packet loss and intermittent connectivity. Software bugs. Packet loss can be related to a bug in a given software or firmware and updating may fix the problem. How Cato Cloud Mitigates Packet Loss for The Enterprise WAN (with proof!) With all the potential causes of packet loss and the Quality of Experience (QOE) issues it can create on the WAN, mitigating it is a priority. Cato Cloud has a number of built-in features that makes the WAN resilient against packet loss, such as: Forward Error Correction (FEC). Enables the correction of packet loss predictively without the need for retransmission, reducing network congestion. Identity-aware Quality of Service (QoS). Identity-aware routing and business process QoS take standard QoS to the next level by allowing critical data (e.g. an executive call) to be prioritized over standard traffic. Dynamic Path Selection and Policy-based Routing (PbR). By proactively working around brownouts and blackouts, the Cato network automatically ensures packets are routed over an optimal path every time. Active-active link usage. Ensures performance degradation in a single last-mile link can be overcome. Packet duplication and Fast Packet Recovery. Help ensure rapid and reliable delivery of packets to reduce last-mile packet loss. Just how effective is Cato at mitigating the effects of packet loss? RingCentral conducted testing that demonstrated Cato delivers high-quality voice connectivity across connections with packet loss up to 15%. If you find it hard to believe, check out this webinar and hear it for yourself. Many Cato users have already experienced these benefits first hand. For example, according to Alewijnse ICT Manager Willem-Jan Herckenrath, when comparing Cato to MPLS, “Latency and packet loss are low. Even the users outside of Europe have the same or better user experience with our HD video conferencing and our CAD system (which runs over Citrix)”. If you’re interested in learning more about how Cato can reduce packet loss on the enterprise WAN, contact us today.

Talking WAN Transformation and Managed Services with Virgin’s Network and Security Architect Frankie Stroud

Every few weeks, yet another survey confirms enterprise interest in SD-WAN. To help inform enterprises how best to make the transition to SD-WAN, I’ve been... Read ›
Talking WAN Transformation and Managed Services with Virgin’s Network and Security Architect Frankie Stroud Every few weeks, yet another survey confirms enterprise interest in SD-WAN. To help inform enterprises how best to make the transition to SD-WAN, I’ve been speaking with independent engineers and network architects around the industry for their insights and suggestions. The following is the first of these interviews, with Frankie Stroud, network and security architect for the Virgin Australia Group. Think you could add to the conversation or have someone you think I should speak with? Give me a shout and let me know. Dave Greenfield (DG): Frankie, let’s start with you. Who is Frankie? Frankie Stroud (FS): I’m a contractor in the Brisbane [Australia] area, currently at Virgin Australia [VA], where I’ve been for about eighteen months. Before VA I was with Optus and a few other domestic telecommunications companies. I’ve also worked with network integrators. I mainly act as a system guide for organizations. I look at the viability of technologies, at proofs of concept, and pilot setups for the customer in order for them to assess technology. DG: So what exactly are your responsibilities at Virgin? FS: VA is going toward a digital cloud transformation. They have a managed service environment, sort of constrained by the approach that the service provider takes. There’s no real automation in place, no scripts, nothing to really drive efficiencies out of the network. That was one of the key reasons we started to look at technologies which would simplify those things. For instance, we changed VA’s WiFi environment to [Cisco] Meraki, a solution based on the principles of cloud-based controllers and simplified, template-based configuration. As SD-WAN is starting to mature and gain some traction in the market, we’re starting to look at that more seriously. DG: Do carriers perceive SD-WAN differently than their customers? FS: Yeah. We see a lot of the providers here in Australia trying to push NBN [national broadband network]-type services as their business grade A-type service, and what we see is there’s next to no difference between those services running on SD-WAN versus ones supposedly providing quality of service or a best-effort-type service. That, I suppose, is not a good sign for some of the telcos trying to add value within their particular environments, but it’s certainly of benefit to the enterprise customers who are just looking to pick up some bandwidth here and there. DG: Should a customer care about which SD-WAN platform a provider is delivering? FS: I certainly think so, especially nowadays when organizations want to make changes rapidly and not just through the virtual server or virtual storage environment. Devices can be spun up reasonably fast. The network has started to become the bottleneck, and we want to remove that, not have it keep us from meeting our business objective because of a longer SLA process. DG: What about QoS? Walk me through what happens when a customer calls and says they want to change the QoS setting. Does that happen frequently? FS: It would probably happen more frequently if it was a simpler process. I think people put up with a lot of pain around QoS. We’ve had a few times [at VA] when we’ve tried to avoid making changes to QoS because we have to get the network and the CPE sides of the telco involved. Those are typically two separate functions within the telco environment. Marrying up those two parts of the organization in order to make a change is a process in itself. DG: You mentioned the CPE nodes. There’s been a lot of conversation about white box hardware. What are your thoughts? FS: I actually quite like the idea. I don’t think it extends the life of the environment, because it’s still hardware, regardless if it is a white box or an appliance provided by the vendor. But it certainly gives you choices to extend virtualization and to virtualize different elements. DG: Having been on both enterprise and telco sides of the industry, if a corporate customer said, “Frankie, I am interested in purchasing a managed service,” what advice would you give them? FS: Well, I would ask what they want to achieve. There’s a lot of communication now around a co-managed environment, where the provider takes a level of responsibility for the platform and the customer takes on all policy or templates or just monitoring. But you’ve got to question whether you have the resources to take this in house. What are you going to gain? DG: What are the skills an organization needs to run SD-WAN in house? FS: Those skills are certainly a lot lower than in the past. You would certainly need someone who understands the concepts, the protocols, but not necessarily how the platform goes about driving changes throughout the environment. You need people who can maybe understand more on the visual side — the analytics, the monitoring — by looking at the information that’s presented. They will just interpret and understand that rather than memorizing lots of different commands. DG: What’s the biggest risk enterprises face when migrating from MPLS to SD-WAN? FS: One of the biggest problems is when you don’t want to make the full transition and insist on having both networks coexist. So they have an SD-WAN environment plus one which is driven by BGP protocol routes. Depending on the platform, you may end up not utilizing the most efficient path to a destination, so in order to join the two environments, you have to go through another, different set of hub points. If you are geographically spread, that may be problematic. I think the migration between the two environments requires an overlay technology or, in the case of Cato, moving to a cloud platform, a location. DG: Is WAN transformation only about replacing MPLS for you? FS: Well, I think architecturally there’s a big difference [between MPLS and SD-WAN]. Organizations on that journey to AWS, Azure, Google, you name it, or ones looking at more SaaS-type applications, can benefit from not backhauling through a datacenter environment before reaching out to those provider environments. There are architectural efficiencies that come out of placing a bit more control in the hands of the user, allowing them to select and steer applications based on business policy. DG: What are the security implications of moving away from MPLS? For example, with local Internet breakout? FS: Definitely, if an organization has opened up their environment to an Internet feed of some sort, then security does play a part, whether you’re encrypting over a tunnel to a centralized platform to protect the local site from a DDoS point of view, or if you’re just dropping traffic straight out to the Internet. You’ve got to consider the direction that traffic is taking. How do you protect against DLP and ensure data is not leaking from your environment? How do you ensure that stuff coming back into the environment via that location hasn’t got some sort of malware in it at some point? So having that control has to be taken into consideration. DG: Okay, here’s probably the most important question I have today: What’s your favorite movie you’ve seen in the past six months? FS: I suppose Avengers: Endgame. That was good.

Solving the Challenges of SD-WAN Security with Cloud-Native

August 2019 saw a significant increase in the discovery of new malware according to statistics from AV-TEST – The Independent IT-Security Institute. In August alone,... Read ›
Solving the Challenges of SD-WAN Security with Cloud-Native August 2019 saw a significant increase in the discovery of new malware according to statistics from AV-TEST - The Independent IT-Security Institute. In August alone, 14.44 million new malicious programs were registered by the institute, raising the total number of registered malware programs above 938 million. The sheer magnitude of these numbers provides a sobering perspective and helps quantify the threats facing enterprise networks. As the WAN is the ingress and egress point of corporate networks, securing it is vital to mitigating risk and improving security posture. However, cloud services and mobile users make networks much more dynamic and difficult to secure than they were just a decade ago. These fundamental changes in how we do business demand a new approach to WAN security. Appliance-based SD-WAN and MPLS (Multiprotocol Label Switching) simply aren’t designed to address these use cases. Fortunately, cloud-based SD-WAN offers enterprises a holistic WAN solution capable of meeting modern security challenges at scale with cloud-native software and security as a service. But what makes cloud-based SD-WAN security and the security as a service model different? Let’s find out. WAN Security and the Challenges Facing the Enterprise A good starting point in explaining why cloud-native SD-WAN is so compelling from a security perspective is the shortcomings of two older WAN solutions: MPLS and appliance-based SD-WAN. MPLS was designed to provide dedicated, reliable, and high-performance connections between two endpoints before cloud and mobile took over the world. However, there’s no encryption on MPLS circuits and any security features like traffic inspection, IPS (Intrusion Prevention System), and anti-malware have to be layered in separately. Appliance-based SD-WAN generally offers encryption, solving one of the problems associated with MPLS, but it’s effectively the same story after that. SD-WAN appliances are not security appliances. For example, to achieve the functionality of a Next-Generation Firewall (NGFW), you need to add a discrete appliance at the network edge. For both MPLS and appliance-based SD-WAN, the “add appliances to add security” approach has a number of shortcomings including: Complex and difficult to scale. The more appliances you add, the more complex the network becomes. Not only does each additional appliance require more time investment, it introduces more potential for oversights that lead to costly breaches. A single misconfigured appliance can create a major security risk and manual configuration is conducive to oversight and errors. Expensive. Each discrete appliance must be sourced, licensed, provisioned, and maintained, and the cost adds up fast. Limited when it comes to cloud and mobile. Appliance-based architectures are inherently site-focused. There isn’t a simple way to add support for cloud most appliances, both from a security and connectivity standpoint. Why SD-WAN Security with Cloud-Native Software & Security as a Service is a Game-Changer The cloud-native network infrastructure supporting the Cato Cloud takes SD-WAN security to the next level by integrating security features to the underlying WAN fabric. Built from the ground up with modern enterprise networks in mind, Cato’s cloud-native infrastructure eliminates the need for most proprietary hardware integrations by baking-in security features, reduces complexity by providing a single management interface, and reduces the technical expertise and time investment required for WAN management. Additionally, inspections of TLS traffic occur at the PoPs (Points of Presence) on Cato’s global private-backbone helping to secure traffic to and from the cloud efficiently. Further, with Cato’s Software Defined Perimeter, support for mobile users becomes simple and scalable. In short, by shifting security functions to the cloud, Cato’s delivers security as a service model that brings cloud scalability, economies of scale, and agility to SD-WAN security. Enterprise-Grade Cloud-Based SD-WAN Security Features Now that we understand the architectural advantages of cloud-based SD-WAN security, let’s explore some of the specific features that set Cato Cloud apart. NGFW. Cato’s NGFW inspects WAN and Internet-bound traffic and allows implementation of granular security policies based on network entities, time, and type of traffic. The NGFW’s Deep Packet Inspection engine classifies applications or services related to a given traffic flow without decrypting payloads. This helps the NGFW achieve full application awareness and contextualize traffic for more granular policy enforcement. Secure Web Gateway (SWG). Malware, phishing, and similar attacks that originate on the Internet pose a real threat to enterprise WANs. SWG focuses on web access control to prevent downloads of suspicious or malicious software. Predefined policies exist for a number of website categories and enterprises can input their own custom rules to further optimize web safety within the WAN. Anti-malware. To deliver enterprise-grade anti-malware functionality, the Cato Cloud takes a two-pronged approach. First, a signature and heuristics-based engine that is updated with the latest information from global threat databases scans traffic for malware. Second, Cato has partnered with infosec industry leader SentinalOne to incorporate artificial intelligence and machine learning to identify unknown malware that may evade signature-based checks. IPS. Cato’s Intrusion Prevention System provides contextually-aware SD-WAN security. Customers benefit from the scale of the Cato network in the form of a more robust IPS. Cato Research Labs use big data to optimize IPS performance and reduce false positives and false negatives. Managed Threat Detection and Response Service (MDR). With MDR, enterprises can offload compromised endpoint detection to Cato’s security operations center (SOC). With MDR, enterprises not only reduce the support burden on in-house staff, they minimize one of the key drivers of damage created by malware: dwell time. With MDR, Cato’s SOC works to rapidly identify and contain threats as well as advise on remediation. The SOC team also provides monthly reports that help quantify network security incidents (here’s a genericized example report for reference (PDF)). Cato Offers Modern and Scalable SD-WAN Security As we’ve seen, the complexities and cost of sourcing, provisioning, patching, and maintaining a fleet of appliances are abstracted away with security as a service. Cloud-based SD-WAN offers a number of inherent advantages appliance-based SD-WAN and MPLS simply can’t deliver. This is because cloud-native software and the security as a service model enable Cato to take a converged approach to networking and security. As a result, users benefit from an information security, operations, and business perspective. This point is driven home by Cato customer Jeroen Keet, Senior Network and System Architect at Kyocera Senco: “Companies moving to the cloud should have a closer look at Cato. The integrated connectivity, security, and intelligence make it an evolutionary step forward for all businesses. If you are willing to use all of the functionality Cato Networks has to offer, it will bring significant financial, functional and IT management benefits.” If you’d like to learn more about how Cato is revolutionizing SD-WAN security or need help choosing a WAN connectivity solution that meets your needs, contact us. If you’re still not convinced and would like to see Cato Cloud in action, you’re welcome to schedule a demo to see it live.

The Secure Access Service Edge (SASE) as Described in Gartner’s Hype Cycle for Enterprise Networking, 2019

In its recent Hype Cycle for Enterprise Networking, 2019, Gartner recognized Cato Networks as a “Sample Vendor” in the Secure Access Service Edge (SASE) category.... Read ›
The Secure Access Service Edge (SASE) as Described in Gartner’s Hype Cycle for Enterprise Networking, 2019 In its recent Hype Cycle for Enterprise Networking, 2019, Gartner recognized Cato Networks as a “Sample Vendor” in the Secure Access Service Edge (SASE) category. Below is the verbatim text of the SASE section from the Gartner report. To better understand SASE, check out this summary on Secure Access Service Edge (SASE) or read this whitepaper on why The Network for the Digital Business Starts with the Secure Access Service Edge (SASE) to understand how Cato meets SASE requirements. Secure Access Service Edge "Analysis By: Joe Skorupa; Neil MacDonald Definition: The secure access service edge (SASE) are emerging converged offerings combining WAN capabilities with network security functions (such as secure web gateway, CASB and SDP) to support the needs of digital enterprises. These needs are radically changing due to the adoption of cloud-based services and edge computing. These capabilities are delivered as a service based upon the identity of the entity, real time context and security/compliance policies. Identities can be associated with people, devices, IoT or edge computing locations. Position and Adoption Speed Justification: SASE (pronounced “sassy”) is in the early stages of development. Its evolution and demand are being driven by the needs of digital business transformation due to the adoption of cloud-based services by distributed and mobile workforces and the adoption of edge computing. The legacy data center should no longer be considered the center of network architectures. Users, sensitive data, applications and access requirements will be everywhere. The new center of secure access networking design is the identity — of the user, device, IoT/OT systems and edge computing locations and their needs for secure access services to cloud-based services directly including an enterprise’s applications running in IaaS. This inversion of networking and network security patterns will transform the competitive landscape over the next decade and create significant opportunities for enterprises to reduce complexity and allow their IT staff to eliminate mundane aspects of the network and network security operations. Multiple incumbent vendors from the networking and network security are developing new cloud-based offerings or are enhancing existing cloud delivery based. The breadth of services required to fulfill the broad use cases means very few vendors will offer a complete solution in 2019, although many already deliver a broad set of capabilities. SASE services will converge a number of disparate network and network security services including SD-WAN, secure web gateway, CASB, software defined perimeter (zero trust network access), DNS protection and firewall as a service. It isn’t sufficient to offer a SASE service built solely on a hyperscale provider’s limited number of points of presence. To compete effectively and meet requirements for low latency, significant investments in geographically disperse points of presence will be necessary. Some agent-based capabilities will be necessary for policy-based access for user-facing devices and some on-premises based capabilities will be required for networking functions such as QoS and path selection. However, these will be centrally managed from a cloud-based service. SASE offerings that rely on an on-premises, box-oriented delivery model or that rely on a limited number of cloud points of presence will be unable to meet the requirements of an increasingly mobile workforce and emerging latency sensitive applications. This will drive a new wave of consolidation as vendors struggle to invest to compete in this highly disruptive, rapidly evolving landscape. User Advice: Gartner expects a number of SASE announcements over the next several months as vendors merge or partner to compete in this emerging market. Most SASE offerings will be purpose built for scale-out, cloud-native and cloud-based delivery and optimized to deliver very low latency services. Keep in mind that in the early days of this transition there will be a great deal of slide-ware and marketecture, especially from incumbents that are ill-prepared for the cloud-based delivery model from distributed POPs. This is a case where software architecture and implementation matters. Additionally, be wary of vendors that propose to deliver the broad sent of required services by linking a large number of products via virtual machine service chaining, especially when the products come from a number of acquisitions. This approach may speed time to market but will result in inconsistent services, poor manageability and high latency. In many cases, branch office SASE adoption will be driven by network and network security equipment refresh cycles and associated MPLS offload projects. However, other use cases will drive earlier adoption. I&O leaders should identify use cases where SASE capabilities will drive measurable business value. Mobile workforce, contractor access and edge computing applications that are latency sensitive are three likely opportunities. For example, secure access consolidation across CASB, SWG and software defined perimeter solutions, providing a unified way for users to connect to SaaS applications, internet websites and private applications (whether hosted on-premises or in public cloud IaaS) based on context and policy. Because the technology transition to SASE cuts across traditional organizational boundaries, it is important to involve your CISO and lead network architect when evaluating offerings and roadmaps from incumbent and emerging vendors. Expect resistance from team members that are wedded to appliance-based deployments. Business Impact: SASE will enable I&O and security teams to deliver the rich set of secure networking and security services in a consistent and integrated manner to support the needs of digital business transformation, edge computing and workforce mobility. This will enable new digital business use cases (such as digital ecosystem and mobile workforce enablement) with increased ease of use, while at the same time reducing costs and complexity via vendor consolidation and dedicated circuit offload. Benefit Rating: Transformational Market Penetration: Less than 1% of target audience Maturity: Emerging” SASE Hype Cycle Phases, Benefit Rating and Maturity Levels According to Gartner Hype Cycle Phase Gartner describes Secure Access Service Edge as being in the “Innovation Trigger” phrase of the Hype Cycle. This is the initial phase of a technology, which Gartner defines as “A breakthrough, public demonstration, product launch or other event generates significant press and industry interest.” Technologies proceed through four additional phases until being removed from the Hype Cycle. By way of comparison, SD-WAN is in the “Slope of Enlightenment,” the second to final phase of the Hype Cycle. Gartner describes this technology “Focused experimentation and solid hard work by an increasingly diverse range of organizations lead to a true understanding of the technology’s applicability, risks and benefits. Commercial off-the-shelf methodologies and tools ease the development process.” Benefit Rating Gartner identifies SASE as having a Benefit Rating of “Transformational.” Gartner defines a transformational benefit rating as a technology that “Enables new ways of doing business across industries that will result in major shifts in industry dynamics.” Maturity Gartner defines SASE as having a maturity level of “Emerging.” Gartner defines emerging as markets where there’s “Commercialization by vendors” and ”Pilots and deployments by industry leaders.” * “Hype Cycle for Enterprise Networking, 2019,” Andrew Lerner and Danellie Young, 9 July 2019 Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Cloud-based SD-WAN: The optimal approach to WAN latency

A recent Tech Research Asia study found that on average, “network problems” lead to 71 hours of productivity loss. This stat struck a chord with... Read ›
Cloud-based SD-WAN: The optimal approach to WAN latency A recent Tech Research Asia study found that on average, “network problems” lead to 71 hours of productivity loss. This stat struck a chord with me as it helps to quantify a common problem the Cato team works with customers to solve: reducing WAN latency. With the growing popularity of cloud services like Unified Communications-as-a-Service (UCaaS) and the surge in mobile users thanks to Bring Your Own Device (BYOD) and the ubiquity of smartphones, low latency has become more important than ever. However, keeping WAN latency in check while using traditional solutions, like MPLS or VPN, with cloud services has become impractical. As a result, many enterprises, like Centrient Pharmaceuticals, are turning to cloud-based SD-WAN providers to deliver WAN connectivity and WAN optimization that meets the demands of modern networks. But why is it that cloud-based SD-WAN is so much more effective at addressing the WAN latency problem? We’ll answer that here. Understanding WAN Latency Before we explore the solution, let’s review the problem. At a high-level, we’re all familiar with what latency is: the time data takes to traverse a network. Traditionally, the main drivers of WAN latency have been: distance, routing issues, hardware limitations, and network congestion. The higher the latency, the worse application performance will be. For serving web pages, latency measured in milliseconds (ms) generally isn’t an issue. Real-time applications like Voice over IP (VoIP) and videoconferencing are where latency can make or break performance and productivity. At what levels can you expect to see performance degradation? In this blog post, Phil Edholm pointed out that the natural pause in human voice conversations is about 250-300 ms. If the round-trip latency (a.k.a. Round Trip Time or RTT) is longer than that, call quality degrades. For many UCaaS services, performance demands are even higher. For example, Skype for Business requires latency of 100 ms or less. Addressing WAN latency: why legacy WAN solutions come up short Apart from cloud-based SD-WAN, enterprises have 3 main options for WAN connectivity: appliance-based Do-It-Yourself (DIY) SD-WAN, VPN, and MPLS (for a crash course on the differences, see SD-WAN vs. MPLS vs. Public Internet). All 3 come up short in tackling the WAN latency problem for several reasons. Both DIY SD-WAN and VPN have proven inadequate in keeping latency at acceptable levels for a simple reason: neither offer a private network backbone and the public Internet doesn’t make for a reliable WAN backbone. As this SD-WAN Experts report demonstrated, WAN latency is very much a middle-mile problem. The study showed that while the last-mile is significantly more erratic, the middle-mile was the main driver of network latency. On the surface, MPLS seems to solve this problem. It eliminates the public Internet from the equation and provides a low-latency backbone. However, MPLS creates challenges for enterprises because it is notoriously expensive and inefficient at meeting the demands of cloud and mobile. As bandwidth demands increase, MPLS costs will become more and more prohibitive. However, agility may be a larger problem with MPLS. It was designed to reliably transport data between a few static locations, but WAN traffic is becoming increasingly more dynamic. Cloud and mobile is now the norm. When the paradigm changed, enterprises using MPLS encountered the trombone routing problem. By forcing enterprises to inefficiently backhaul Internet-bound traffic through corporate datacenters for inspection, trombone routing leads to additional WAN latency and degraded performance real-time applications. How cloud-based SD-WAN solves the WAN latency problem Cato’s cloud-based SD-WAN is able to efficiently solve WAN latency because of its affordable, private, SLA-backed, and global WAN backbone, intelligent and agile routing, optimized mobile and cloud connectivity, and the ability to provide affordable WAN connectivity. As opposed to relying on the public Internet, Cato provides customers access to its private backbone consisting of over 45 Points of Presence (PoPs) across the globe. This means Cato bypasses the latency and congestion common to the public Internet core. Dynamic path selection and end-to-end route optimization for WAN and cloud traffic complement the inherent advantages of a private backbone, further reducing WAN latency. Cato PoPs monitor the network for latency, jitter, and packet loss, routing packets across the optimum path. Furthermore, PoPs on the Cato backbone collocate in the same physical datacenters as the IXPs of the leading cloud providers, such as AWS. The result: low-latency connections comparable to private cloud datacenter connection services, such as AWS Direct Connect. For a deeper dive on how Cato helps optimize cloud connectivity, see How To Best Design Your WAN for Accessing AWS, Azure, and the Cloud. Proving the concept: the real-world WAN latency benefits of Cato Cloud Conceptually, understanding why cloud-based SD-WAN provides an optimal approach to addressing WAN latency is important. But proving the benefits in the real-world is what matters. Cato customers have done just that. For example, after switching from MPLS to Cato Cloud, Matthieu Cijsouw Global IT Manager at Centrient Pharmaceuticals touted the cost and performance benefits by saying: “The voice quality of Skype for Business over Cato Cloud has been about the same as with MPLS but, of course, at a fraction of the cost. In fact, if we measure it, the packet loss and latency figures appear to be even better.” Similarly, performance testing between Singapore and Virginia demonstrated Cato’s ability to reduce latency by 10%. While a 10% reduction may not sound like a lot, it can be the difference between a productive VoIP call and an incomprehensible one. Cato solves WAN latency for the modern enterprise Cloud-based SD-WAN is uniquely equipped to address the WAN latency challenges. Solutions that depend on the public Internet simply aren’t reliable enough, and MPLS isn’t cost-effective or agile enough to make business sense. An affordable private backbone enables Cato to deliver performance that meets or exceeds MPLS in the middle-mile, with significantly lower cost and greater agility. As a result, enterprises using Cato Cloud can reduce WAN latency and enhance performance and reliability while also realizing significant cost savings. If you’d like to discuss how Cato can modernize your WAN, contact us today.

The Way Forward: How SD-WAN Benefits the Modern Enterprise

In 2019, it has become clear that SD-WAN has secured its position as the way forward for enterprise WAN connectivity. Market adoption is growing rapidly,... Read ›
The Way Forward: How SD-WAN Benefits the Modern Enterprise In 2019, it has become clear that SD-WAN has secured its position as the way forward for enterprise WAN connectivity. Market adoption is growing rapidly, and industry experts have declared a winner in the SD-WAN vs MPLS debate. For example, Network World called 2018 the year of SD-WAN, and before the end of Q3 2018 Gartner declared SD-WAN is killing MPLS. What’s driving all the excitement around SD-WAN? It effectively comes down to this: SD-WAN is more cost-effective and operationally agile than MPLS. SD-WAN reduces capex and opex while also simplifying WAN management and scalability. However, if you don’t drill down beyond high-level conclusions, it can be hard to quantify how SD-WAN will matter for your business. Here, we’ll dive into the top 5 SD-WAN benefits and explain why IT professionals and industry experts alike see SD-WAN as the way forward for enterprises. Reduced WAN Costs MPLS bandwidth is expensive. On a “dollar per bit” basis, MPLS is significantly higher than public Internet bandwidth. Exactly how much more expensive will depend on a number of variables, not the least of which is location. However, the costs of MPLS aren’t just a result of significantly higher bandwidth charges. Provisioning an MPLS link often takes weeks or months, while a comparable SD-WAN deployment can often be completed in days. In business, time is money, and removing the WAN as a bottleneck can be a huge competitive advantage. Just how big of a cost difference is there between MPLS and SD-WAN? The specifics of your network will be the real driver here. Expecting savings of at least 25% is certainly reasonable, and for many enterprises it can go well beyond that. For one Cato customer, MPLS was 4 times the cost of cloud-based SD-WAN despite MPLS only providing a quarter of the bandwidth. For a real world example of how Nick Dell, an IT manager at a major auto manufacturer, optimized his WAN spending by ditching MPLS and moving to SD-WAN, check out this webinar. Enhanced WAN Performance MPLS was the top dog in enterprise WAN before cloud-computing and mobile smart devices exploded in popularity. Once cloud and mobile became mainstream, a fundamental flaw in MPLS was exposed. Simply put: MPLS is very good at reliably routing traffic between two static locations, but it isn’t good at meeting the demands of cloud and mobile. With MPLS, enterprises have to deal with the “trombone effect”. Essentially, an MPLS-based WAN has to inefficiently backhaul Internet-bound traffic to a corporate datacenter. The same Internet-bound traffic is then routed back through the corporate datacenter. This places a drag on network performance and can really hurt modern services like UCaaS and videoconferencing. As SD-WAN enables policy-based routing (PbR) and allows enterprises to leverage the best transport method (e.g. xDSL, cable, 5G, etc.) for the job, this means no more trombone effect and improved performance for mobile users and cloud services. In addition to solving the trombone routing problem, SD-WAN is a game changer when it comes to last-mile performance. The same ability to leverage different transport methods enables a more advanced approach to link-bonding that can significantly improve last-mile resilience and availability. Improved WAN Agility MPLS wasn’t designed with agility in mind. SD-WAN on the other hand is designed to enable maximum agility and flexibility. By abstracting away the underlying complexities of multiple transport methods and enabling PbR, SD-WAN allows enterprises to meet the varying demands of cloud workloads and scale up or down with ease. For example, onboarding a new office with MPLS can take anywhere from a few weeks to a few months. With Cato’s cloud-based SD-WAN, new sites can be onboarded in a matter of hours or days. Case in point: Pet Lovers Center was able to deploy two to three sites per day during their Cato Cloud rollout. Similarly, adding bandwidth can take over a month in many MPLS applications, while SD-WAN enables rapid bandwidth provisioning at existing sites. Simplified WAN Management As we’ve mentioned, the long provisioning times with MPLS can create significant bottlenecks, but MPLS management issues go well beyond that. The larger an enterprise scales, the more complex WAN management becomes. Multiple appliances used for security and WAN optimization become a maintenance and management burden as an enterprise grows.. Further, gaining granular visibility into the network can be a challenge, which leads to monitoring and mean time to recover issues. Cloud-based SD-WAN adds value here by providing an integrated and centralized view of the network that can be easily managed at scale. Increased WAN Availability When it comes to uptime, redundancy and failover are the name of the game. While MPLS has a solid reputation for reliability, it isn’t perfect and can fail. Redundancy at the MPLS provider level is expensive and can be a pain to implement. SD-WAN makes leveraging different transport methods easy, thereby enabling high-availability configurations that help reduce single points of failure. If your fiber link from one ISP is down, you can failover to a link from another provider. Further, the self-healing features of cloud-based SD-WAN make achieving high-availability (HA) significantly easier than before. The Cloud-Based Advantage We’ve already mentioned a few ways cloud-based SD-WAN helps magnify SD-WAN benefits, but it is also important to note that cloud-based SD-WAN overcomes one of the major SD-WAN objections MPLS proponents have put forth. In the past, it could have been argued that the lack of SLAs meant SD-WAN solutions were not ready for showtime at the enterprise-level. However, with cloud-based SD-WAN from Cato, enterprises get all the benefits of SD-WAN, an integrated security stack, and an SLA-backed private backbone supported by Tier-1 ISPs across the globe. Furthermore, this private backbone solves another problem other SD-WAN solutions cannot: latency across the globe. For international enterprises that must send traffic halfway across the world, routing WAN over the public Internet alone can lead to significant latency. In the past, this would mean dealing with the operational and dollar costs of MPLS to become worth it. However, cloud-based SD-WAN offers a more cost effective and operationally-efficient alternative. Cato’s global, private backbone has PoPs (Points of Presence) across the world that enable traffic to be reliably routed across at speeds that meet or exceed MPLS-level performance. SD-WAN outstrips MPLS for the modern enterprise While there is no one-size-fits-all answer to every WAN challenge, it’s clear that the majority of modern enterprises can benefit from SD-WAN. We can expect to see MPLS hold a niche in the market for years to come, but SD-WAN is better suited for most modern use-cases. In particular, cloud-based SD-WAN gives businesses a reliable, secure, and modern MPLS alternative that offers the agility of SD-WAN without sacrificing reliability or the peace of mind SLAs provide. To learn more about what cloud-based SD-WAN can do for your business, join our upcoming Dark Side of SD-WAN webinar or contact us today.

Will cloud-based networking be your next WAN?

It’s no secret the public cloud is growing. According to Gartner, the global public cloud market is expected to grow 17.3 % this year. And... Read ›
Will cloud-based networking be your next WAN? It’s no secret the public cloud is growing. According to Gartner, the global public cloud market is expected to grow 17.3 % this year. And it’s also no secret that as more applications move to the cloud, significant changes are hosted onto the WAN. With the cloud, most traffic is bound for the Internet, making backhauling to a centralized location for security inspection less practical. And with the cloud, users access applications in and outside of the office. All of which means security enforcement must adapt to these changes, providing secure, direct Internet access from the branch as well as protecting mobile users. SD-WAN appliances are ill-suited to address these changes. But what if instead of appliances, we used the cloud to solve the problem of the cloud? You’d have access from anywhere and security everywhere. You’d have one solution for mobile and fixed users, infinitely scalable as all good clouds are. Sounds like a good idea, but practically how’s that done? Let’s find out. Benefits of cloud-based networking There are a few simple reasons that appliance-based SD-WAN solutions aren’t “good enough” for the modern WAN: they become too complex and inefficient at scale and they struggle to meet the demands of cloud and mobile. For example, most appliance-based SD-WAN require enterprises to layer security in themselves. The problem is the integration of enterprise-grade security appliances is complex and often requires costly proprietary hardware. Similarly, optimizing the performance of cloud services or providing support for mobile users can prove to be complex with appliance-based SD-WAN. Cloud-based networking makes it simple to address these challenges in a secure and scalable fashion. For example, as opposed to buying a next-generation firewall (NGFW) appliance, NGFW functionality can be provided using cloud-based, software-defined services from a cloud service provider. If you understand the standard cloud delivery model and how different network appliances work, understanding the cloud-based networking concept is simple. Service providers aggregate resources and provide them, usually in a multi-tenant model, to consumers. This creates economies of scale that create a win/win for consumers and providers. The benefits to enterprises in the cloud-based networking model are elasticity, velocity, flexibility, fewer resources dedicated to the installation and management of network hardware, and the elimination of upfront costs. Simply put, cloud-based networking allows enterprises to offload the complexity of maintaining network infrastructure to a service provider. When you consider the staff and expertise needed to configure routers, switches, and firewall appliances at the enterprise-level, the upside becomes clear. Additionally, cloud-based networking makes it possible to access and manage network resources from effectively anywhere with an Internet connection. Cloud-based networking and SD-WAN SD-WAN is one of the services commonly enabled by cloud-based networking. For example, Cato Cloud is built using a cloud-native architecture. This means that users benefit from SD-WAN features like dynamic path selection, QoS, active-active link usage as well as an underlying network infrastructure purpose-built for the cloud. Appliance-based SD-WAN requires the management and integration of proprietary appliances to add security & mobile support, and expensive premium cloud connectivity solutions like AWS Direct Connect for optimized cloud connectivity. With Cato Cloud, all of those benefits are built-in to the underlying cloud-based network. From a security perspective, the Cato network includes an application-aware NGFW, anti-malware functionality, secure web gateway, and IPS built-in. As all these features are included in the underlying cloud-based network, they’re inherently more scalable and easier to manage than the old, appliance-based paradigm. As opposed to provisioning discrete appliances at each site or routing all WAN traffic back through a single location for auditing, enterprises have the security they need baked-in to the WAN. Not only does this make configuration and management much easier, it reduces the chances for a misconfiguration or oversight to create vulnerabilities in the network. Mobile integrations are another major pain point for appliance-based SD-WAN. Often, enterprises are left with two choices when it comes to mobile integrations: enable users to connect via a cloud access security broker (CASB), which increases cost and complexity, or force them to connect through a specific endpoint (often dramatically impacting performance). Increased cost or extremely reduced performance is never an attractive tradeoff for a CIO. This is another area where cloud-native shines. The Cato Mobile Client ensures that mobile users are able to securely connect to the WAN and all physical and cloud resources. No need to sacrifice usability for performance (or vice versa) with cloud-native. Additionally, intelligent cloud-native software that is part of our cloud-based network helps deliver the uptime enterprises demand. Features like self-healing help address service blackouts and brownouts. On the topic of uptime: the Cato Cloud includes an SLA-backed private backbone consisting of PoPs (Points of Presence) around the world. Multiple Tier-1 ISPs support the backbone, and if a given carrier fails, monitoring software helps ensure traffic is sent over a different ISP or even through another PoP. This robust backbone coupled with advanced software monitoring and self-healing allow us to provide the consistency and reliability enterprises demand on a global scale. Cloud integrations are another area where cloud networking with the Cato Cloud outstrips appliance-based SD-WAN. With appliance-based SD-WAN, users are often dependent upon public Internet connections. The public Internet is notoriously unreliable, and when data needs to traverse long distances to reach a cloud service provider, latency can create real performance issues. As services like UCaaS and high-definition video streaming become more popular, these problems are exacerbated further. With Cato Cloud, PoPs are often in the same physical datacenters as major cloud service providers. This means that network traffic can egress at the PoP nearest to the provider, reducing latency to trivial levels. Converged cloud networking matters The reason cloud-native is able to consistently outperform solutions like appliance-based SD-WAN (the model most telco-managed solutions use) is simple: converged infrastructure is more efficient. Cloud-native solutions provide enterprises with a holistic, robust approach to the WAN. Security, high availability (HA), routing, mobile integrations, and SD-WAN functionality are delivered under one roof. With an appliance-based approach, complex integrations are required to achieve similar functionality which leads to increased costs and difficulty scaling. In an area where agility is more important than ever, this makes cloud networking and converged infrastructure much more attractive than an appliance-based approach. If you’re interested in learning more about cloud-based networking or SD-WAN, contact us today. As Gartner-described “visionaries” in WAN Edge Infrastructure, we’re uniquely capable of helping you identify solutions for your enterprise. If you’d like to explore the benefits of cloud-native SD-WAN further, check out our Promise of SD-WAN as A Service white paper.

SD WAN redundancy vs. MPLS redundancy

According to a recent Uptime Institute report, network failures trail only power outages as a cause of downtime. The data also suggests that full “2N”... Read ›
SD WAN redundancy vs. MPLS redundancy According to a recent Uptime Institute report, network failures trail only power outages as a cause of downtime. The data also suggests that full “2N” redundancy is also an excellent way to mitigate the risk of downtime. This got me thinking about a reoccurring conversation about SDWAN redundancy I have with IT managers. In one form or another the question: “how can SD-WAN deliver the same reliability and redundancy as MPLS when it uses the public Internet?” comes up. My response? SD-WAN + public Internet alone can’t. You have to have a private backbone. Cato’s cloud-native approach to SD-WAN not only matches MPLS reliability across the middle-mile, it offers better redundancy in the last-mile. Why? MPLS provides limited active-passive redundancy in the last-mile while Cato delivers active-active redundancy and intelligent last-mile management (ILLM). Here, we’ll compare MPLS redundancy to SD WAN redundancy and explain why active-active redundancy and ILLM are so important. MPLS redundancy: a reliable middle-mile with limited last-mile options MPLS has a well-deserved reputation for reliability in the middle-mile. MPLS providers have a robust infrastructure capable of delivering the reliability enterprises demand from their WAN. In fact, reliability is often used as justification for the high price of MPLS bandwidth. However, practically, the cost of MPLS circuits makes delivering the same level of reliability in the last-mile challenging. For many enterprises, the cost of MPLS connectivity simply puts redundant circuits out of reach. And without redundant circuits, sites are susceptible to last-mile outages. Tales of construction crews cutting through wires and causing downtime are well-known. Even with redundant circuits, sites remain susceptible to carrier outages, as evidenced by last year’s CenturyLink outage. The disruption was caused by a single faulty network card. Protection against those types of failures and failures in the last mile all but requires dual-homing connections across diversely routed paths to separate providers. Cato SD-WAN redundancy: a robust global backbone and intelligent last mile management Cato meets enterprise-grade uptime requirements without MPLS’s high costs. Across the middle mile, our global private backbone comes with a 99.999% uptime SLA. Every Cato PoP is interconnected by multiple tier-1 carrier networks. Cato’s proprietary software stack monitors the real-time performance of every carrier, selecting the optimum path for every packet. In this way, the Cato backbone can deliver better uptime than any one of the underlying carrier networks. Across the last-miles, Cato Sockets automatically connect to the nearest PoPs. The Sockets are designed with Affordable HA for local, inexpensive redundancy and connect across any last-mile service provider. This allows enterprises to layer in inexpensive Internet connections for resiliency affordable enough for even small locations. As opposed to being tied down to select providers or technologies, enterprises can choose the carriers and transport methods (5G, xDSL, etc.) that provide them the best mix of cost, resilience, and redundancy. Cato’s intelligent last mile management features also enable rapid detection of network brownouts and blackouts, ensuring rapid responses and failover. Further, as Cato controls the entire global network of PoPs and the customer has self-service management capabilities, troubleshooting and responding to issues with agility is never a problem. Active-passive redundancy vs active-active redundancy in the last-mile What truly sets Cato’s SD-WAN redundancy apart from traditional MPLS redundancy is Cato’s ability to provide built-in active-active redundancy. MPLS doesn’t provide active-active redundancy per se. At best, you’d configure dual paths and add a load-balancer to distribute traffic loads. Practically, MPLS last-mile redundancy has been active-passive with failover between circuits is based on route or DNS convergence. This means failover takes too long to sustain active sessions for many services like VoIP, teleconferencing, and video streaming. The result? Some level of downtime. With Cato Cloud, active-passive redundancy is an option, but active-active redundancy is also possible. This is because our cloud-native SD-WAN software enables load-balancing for active-active link usage. As a result, last-mile “failover” is seamless. Since both transport methods are in use, packets can immediately be routed over one or the other in the event of a failure. The end result is reduced downtime and optimized application performance. Further, Cato’s approach to active-active redundancy is also able to account for IP address changes. Select applications and policies can stop functioning. Cato’s Network Address Translation functionality obtains IP addresses from a Cato PoP as opposed to an ISP. This means that failing over between ISPs in the last-mile won’t compromise network functionality. Cato enables true SD-WAN redundancy in the last-mile The Uptime Institute’s data demonstrated the importance of “2N” redundancy to uptime, and Cato’s active-active redundancy brings 2N to the WAN. By coupling active-active redundancy in the last-mile with an SLA-backed private backbone, Cato Cloud is able to deliver the uptime enterprises demand. If you’d like to learn more about how Cato’s approach to SD-WAN can improve throughput by five times and optimize WAN connectivity for brick-and-mortar locations, the cloud, and mobile users download our free WAN Optimization and Cloud Connectivity eBook. If you have specific questions about Cato’s cloud-native SD-WAN, don’t hesitate to contact us today.

NaaS Meets SD-WAN: What is NaaS anyway and How Will It Impact Your SaaS, PaaS, and Cloud Strategy?

According to a recent forecast, the global NaaS (Network as a Service) market is expected to grow at a CAGR of 38.3% from 2018 to... Read ›
NaaS Meets SD-WAN: What is NaaS anyway and How Will It Impact Your SaaS, PaaS, and Cloud Strategy? According to a recent forecast, the global NaaS (Network as a Service) market is expected to grow at a CAGR of 38.3% from 2018 to 2023. The forecast cites reduced costs, increased security, and enhanced agility as growth drivers for the NaaS market. With such bullish projections and potential for business impact, It's no wonder that NaaS technologies are garnering so much attention. However, not all NaaS solutions are created equal. NaaS is simply the delivery of virtualized network infrastructure and services following the standard cloud subscription business model popularized by SaaS, IaaS, and PaaS. That means NaaS solutions come in a variety of shapes and sizes, many like NFV offering more sizzle than substance. Further, coupling services from multiple discrete service providers can lead to silos, scalability issues, and enhanced complexity. Fortunately, cloud-native SD-WAN platforms, like Cato Cloud, enable enterprises to leverage Network as a Service to its full potential. Here, we’ll explore the basics of NaaS and explain how the Cato Cloud platform provides enterprises with the most effective form of Network as a Service. Network as a Service: A crash course With NaaS, many WAN complexities can be abstracted away. Third- party services deliver network functionalities such as VPN, Content Delivery Networks (CDNs), and Bandwidth on Demand (BoD). As a result, enterprises benefit from providers’ economies of scale and shift capex to opex. At a high level, everybody wins. This helps explain why the Network as a Service market is projected to grow to over $21 billion by 2023. Taking WAN functions and moving them to the cloud inherently allows enterprises to do a better job of remaining agile and secure in a world where cloud and mobile computing are the norm. Gone are the days where enterprises had clearly defined network perimeters that served as demarc points for what needed to be secured and what was on the other side of the moat. By shifting network infrastructure to the cloud, security is not only baked-in, but the network also gains significant agility. It is much easier to leverage cloud services to enable for cloud apps and mobile users than it is to route everything through on-prem hardware. Another benefit of NaaS is the reduction in appliance costs. Not only does eliminating on-premises hardware reduce capex, it reduces network complexity and network management costs. Coupled with an SD-WAN appliance some may argue that NaaS can go a long way in replacing MPLS. The SD-WAN appliance enables dynamic path selection and Policy-based Routing (PbR), and the NaaS solutions abstract away the network infrastructure. However, it is in this packaging of discrete solutions that some of the difficulties of getting Network as a Service right become clear. The challenge with ensuring a given NaaS solution delivers on this promise is coming up with a bundle of services that provide enterprise functionality, without adding too much complexity. In many cases, effectively meeting the demands of a modern enterprise WAN can lead to requirements that entail a mixed bag of solutions from different providers. This patchwork of solutions then increases complexity, and often leads to sacrifices in the form of limited functionality, reduced network visibility (which impedes WAN monitoring and management), and decreased performance. This in turn reduces the upside of NaaS. How cloud-based SD-WAN adds advanced security, simplicity, and scalability to NaaS So, how can the benefits of NaaS be delivered without overcomplicating the WAN and diminishing the benefits of the as a service model? By taking all the major WAN networking and security functions and aggregating them into the cloud This is where cloud-based SD-WAN comes in. Cato Socket SD-WAN devices enable enterprises to choose a transport method (e.g. LTE, fiber, cable, etc.) to connect their physical locations to the closest Cato Point of Presence (PoP). As a result, enterprises gain advanced WAN management features and functionality. Sockets are zero-touch and minimize the manpower and risk associated with network changes. Additionally, all Cato Sockets can be configured for active-active failover, helping enhance uptime and simplify network management, and affordable High-Availability (HA) mode. Active-active failover further improves WAN performance by enabling Cato to route traffic around both blackouts (complete network outages) and brownouts (a reduction in network performance) to help improve last-mile performance. The global backbone that supports the Cato Network is one of the most important aspects of the platform. The backbone includes over 45 PoPs across the globe interconnected via multiple SLA-backed ISPs (Internet Service Providers). Monitoring software at the PoPs help improve WAN routing by checking for latency, jitter, and packet loss in real time, again simplifying management and improving performance. The cloud-based, multitenant, and global nature of the Cato Network allows enterprises to benefit from advanced WAN security at scale as well. The Cato Cloud has a built-in network security stack that includes: Next-Generation Firewall. Cato delivers advanced NGFW capabilities using FWaaS to enable network-wide visibility, granular policy enforcement, simple scalability, and streamlined life cycle management. Advanced Threat Protection. Cato’s Intrusion Prevention System is contextually aware and able to intelligently respond to threats while limiting false positives. Secure Web Gateway. End users are one of the most common network attack vectors. Cato SWGs inspect inbound and outbound Layer 7 web traffic. Managed Threat Detection and Response. Responding to threats as rapidly as possible is vital to maintaining a sound security posture. Cato’s MDR leverages intelligent algorithms and human verification to help keep networks secure and guide customers through remediation in the event a node is compromised. These features enhance WAN security while also reducing complexity. With Cato Cloud, the entire solution is converged “under one roof”. The complexities of appliance management, patching, maintenance, and network monitoring are abstracted away. Just how important is it to take a holistic approach that integrates security into a NaaS? Centrient Pharmaceuticals, a leading antibiotics manufacturer, was able to cut costs roughly in half while quadrupling network capacity and adding security services to the WAN with Cato. The Cato Cloud: The converged approach to Network as a Service As we have seen, the Cato approach to Network as a Service fulfills the full potential of the NaaS model. By providing a converged global WAN infrastructure, the Cato Cloud enables enterprises to enjoy the upside of NaaS while eliminating the complexity created by bundling multiple solutions from different vendors. If you’re interested in learning more about how Cato can help you improve your WAN performance while reducing your WAN costs, please contact us today. If you’d like to take a deeper dive on the topic of cloud-based SD-WAN, check out our Promise of SD-WAN as A Service whitepaper.

How to connect multiple offices quickly and affordably with Cato Cloud

One complaint I often hear is how the WAN can be a bottleneck to productivity. MPLS circuits can take weeks even months to provision depending... Read ›
How to connect multiple offices quickly and affordably with Cato Cloud One complaint I often hear is how the WAN can be a bottleneck to productivity. MPLS circuits can take weeks even months to provision depending on location. All too often, IT directors have told me they need to explain why MPLS circuit delivery is a holdup for branch office going live. At a time where agility is more important than ever to business outcomes, this is an unenviable situation to say the least. This then begs the question: how do you connect multiple offices rapidly and affordably without sacrificing performance? Cloud-native SD-WAN provides a way to do just that.  Challenges when connecting multiple offices There are a few common requirements when it comes to connecting multiple offices to the WAN. The connection must be secure, reliable, affordable, and capable of delivering the performance enterprises demand. The competitive nature of modern business also dictates that any solution is agile and scalable enough to meet the needs of an increasingly mobile workforce and allow for rapid onboarding of new sites. VPN has proven to be a popular solution for site-to-site connectivity. However, as demonstrated in this case study of a software security company expanding to Europe, VPN has a number of downsides that limit its practical applications. VPN requires onsite IT staff to manage local firewalls, not always practical in the era of WeWork and mobile employees. Complexity also grows with the size of the network, limiting scalability. Mobile VPN clients are either non-existent or too clunky to enable optimized connection for mobile workers. Further, the time it takes to get a physical appliance to a branch office in a foreign country can make VPN impractical for time-sensitive projects. In other cases, teams are so small or mobile that a physical appliance is simply overkill. However, what often makes VPN unusable for the enterprise is the notorious unreliability of the public Internet. The desire for reliability is why many enterprises have looked to MPLS to connect multiple offices in the past. The problem is that MPLS simply isn’t agile or fast enough for deployments that require rapid onboarding. In the aforementioned case study, it would’ve taken about 6 weeks to deliver an MPLS circuit, an obvious deal-breaker for a 5-week project. Further, MPLS bandwidth is significantly more expensive than Internet bandwidth, making connecting multiple offices with MPLS expensive. This also makes providing connectivity to small offices impractical. Finally, like VPN, MPLS struggles to provide optimized performance for cloud and mobile users (e.g. the trombone effect). How to connect multiple offices with Cato Cato’s cloud-native SD-WAN is able to solve all these problems elegantly. With Cato, the complexity of VPN and lengthy MPLS provisioning times are a thing of the past. Just how much of an improvement is Cato? Check out this video that demonstrates how to connect and provision a Cato Socket in 3 minutes. From there, the “how to connect multiple offices” process is simply rinse-and-repeat. Not only is this process faster and more scalable than the alternatives, the resulting WAN connectivity performs better and is more secure. Our global private backbone is backed by a 99.999% uptime SLA, includes an integrated security stack, provides end-to-end route optimization for cloud traffic, and delivers WAN connectivity that meets (and often exceeds) MPLS reliability at significantly lower costs. But what about those sites where an appliance of any kind is impractical? This ADB SAFEGATE case study provides a real-world example of how Cato’s mobile client handled the challenge of deploying all 26 company sites within two months. According to Lars Norling, director of IT operations at ADB SAFEGATE, “the possibility to include everyone within the solution, including all of our traveling colleagues and all of our small offices using the Cato mobile client, has been extremely important to us”. By creating a software-defined perimeter (SDP), Cato makes it easy to securely connect even a single mobile user via clientless browser access. As SDP is built-in to the Cato Cloud, mobile users are protected by the same policies and packet inspections as on-prem employees and benefit from the same WAN optimization features. Cato eliminates WAN bottlenecks and makes connecting multiple offices simple As we have seen, Cato Cloud makes connecting multiple offices simple, fast, and affordable. This enables enterprise WANs to keep up with the speed of modern business, and no longer act as a bottleneck or impediment to progress. If you’d like a demo of the nuts and bolts of the “how to connect multiple offices” process, you’re welcome to contact us today. For more examples of successful MPLS to SD-WAN migrations, download our free 4 Global Companies who Migrated Away from MPLS eBook. To learn more about the WAN optimization benefits of cloud-native SD-WAN, check out our WAN Optimization and Cloud Connectivity whitepaper.

Making a Strategic Plan for the Future of Networking

Many enterprise networks are straining under the pressure of massive changes brought on by computing trends that are shifting traditional traffic patterns as well as... Read ›
Making a Strategic Plan for the Future of Networking Many enterprise networks are straining under the pressure of massive changes brought on by computing trends that are shifting traditional traffic patterns as well as by digital transformations of the underlying business. Companies are shifting workloads to the cloud, increasing their use of voice and video applications, and adding thousands or even millions of new connections to support IoT devices. All these changes have a severe impact on networks that haven’t yet been re-architected to support the new traffic volumes and patterns and cloud-based applications. To help organizations plan for and execute the necessary changes to their networking infrastructure, Gartner developed a guide published as the 2019 Strategic Roadmap for Networking. This guide provides recommendations on: Transforming the workforce, skills and culture of the networking organization, Deploying SD-WAN to enable greater network agility, simplicity and performance, Leveraging Wi-Fi and cellular connectivity across the campus network, Implementing automation, orchestration and intent-based networking (IBN) solutions, and Optimizing the vendor sourcing approach. Network managers are being asked to deliver more services and make changes at an increasing pace, with fewer errors and at a lower cost. Gartner says that network budgets are essentially flat, and organizations need to do more with less. “Areas that will be in focus are reducing reliance on MPLS in favor of internet access, automation, different business models/sourcing options and taking advantage of open standards where possible.” The Gap between “Future State” and “Current State” Gartner lays out what it believes the future state of networking should be and compares that to the current state of networking for most enterprises today. The gap between the two states is wide but not insurmountable, thus presenting challenges (and opportunities) in the migration plan: “Premium products instead of premium people” Today’s style of networking requires a large staff of people whose skills are focused on keeping the network operating and performing well. Network practitioners have vendor certifications that are focused on a particular vendor silo, such as Cisco, Microsoft or VMware. They are intimately familiar with their silo’s command line interface (CLI). The knowledge is different from product to product and so the people are pigeon-holed in their specialty areas. In the future state of networking, people will need to have far different kinds of skills and knowledge, such as DevOps development and AI and machine learning. Business acumen will be the premium skill, rather than knowing how to program a router. Any networking migration plan needs to include reskilling the workforce. “From MPLS to Internet and routers to SD-WAN” The network of the future will reduce its reliance on MPLS in favor of Internet with SD-WAN. This will increase agility and reduce costs. Gartner recommends that network leaders focus on solutions that simplify the deployment and operation of the network, using capabilities such as zero-touch configuration, orchestration with APIs, business-policy-based configurations, IBN solutions, automation and virtualization. Gartner stresses the importance to “automate wherever possible.” “Data-center-centric to hybrid cloud” There is a surge in business initiatives leveraging cloud-based IT delivery. According to Gartner, there is now more traffic to public clouds than to on-premise data centers, more applications delivered as a service than from on-premise data centers, and more sensitive data in clouds than in on-premise data centers. However, public cloud and data center networks are not integrated today, and enterprise WANs are not optimized for hybrid cloud. The two environments are operated today as separate silos, with different tools, products and features. Every organization needs to reevaluate its WAN strategy and re-architect the network to adapt to hybrid cloud computing. “From manual CLI to automation and APIs” Too many networking tasks today are performed manually, often by a skilled network engineer interacting with a single network device through a command line interface. This process is expensive and time-consuming, and it doesn’t scale. Enterprises can increase their reach and agility by adopting orchestration and automation tools that will take over many if not most of the manual tasks. External service offerings will be delivered through APIs. These changes mean that network professionals need to develop skills around automation and programming to build and operate the network of the future. “From vendors as strategic advisors to vendors as suppliers” According to Gartner, organizations are migrating away from do-it-yourself network management with a capital expenditure mindset to an outsourced model where network services are acquired from managed network service providers in an opex model. “As far as outsource business models, we expect network as a service (NaaS) to gain increasing traction where the overall solution (hardware and software) are optionally offered as subscription services.” Gartner stresses that network organizations should source from network suppliers that meet a specific need at the right cost. Solving the most common challenges for IT Infrastructure and Operations (I&O) teams Gartner customers identify their top two challenges, by far, in planning for their future network as “managing technology challenges” and “insufficient skills/resources.” A third leading challenge is “insufficient capacity to absorb more change.” Obviously, these are not challenges that can be overcome quickly, but Gartner does mention an option that can help enterprises get to their desired future state sooner rather than later: utilizing managed network services such as NaaS. NaaS is a readily available, on-demand answer to three questions I&O leaders must ask themselves: Does the enterprise have the necessary number of resources in the right roles to perform the required functions? Is it more economical to operate in DIY mode with staff, tools and equipment, versus MNS? Is managing the network a strategic need/requirement as a core function, or are there more pressing priorities that need to be managed by the enterprise? I&O leaders have a responsibility to explore the option of a managed network service to see how it might help them reach the desired state of their future network. Cato Networks stands ready to have that conversation with organizations that want to start that network transformation today.

SD-WAN Services: Forget Burger King, Just Manage It Your Way

The old Burger King jingle came to mind when thinking about today’s introduction of Cato Hands-free Management for our global managed SD-WAN Service. Hold the pickles or the lettuce — it doesn’t much matter; Burger King gave you the burger the... Read ›
SD-WAN Services: Forget Burger King, Just Manage It Your Way The old Burger King jingle came to mind when thinking about today’s introduction of Cato Hands-free Management for our global managed SD-WAN Service. Hold the pickles or the lettuce — it doesn’t much matter; Burger King gave you the burger the way you like it. And that’s certainly true with how we let you manage your network. Unlike a traditional telco, Cato has always let customers run their networks or, if they, preferred to share some of their networking responsibilities with Cato or its partners. But with Cato Hands-free Management, customers can outsource all networking and security configuration responsibilities to the expert staff at Cato or its partners.  Cato Hands-free Management is that part of the Cato Managed Services portfolio that includes: Managed Threat Detection and Response (MDR) continuously monitors the network for compromised, malware-infected endpoints. Cato MDR uses a combination of machine learning algorithms that mine network traffic for indicators of compromise, and human verification of detected anomalies. Cato experts then guide customers on remediating compromised endpoints. Intelligent Last-Mile Management provides 24×7, last-mile monitoring. In case of an outage or performance degradation, Cato will work with the ISP to resolve the issue, providing all relevant information and keeping the customer informed on the progress.   Rapid Site Deployment provides customers with remote assistance in deploying Cato Sockets, Cato’s zero-touch, SD-WAN device.   Regardless of the management approach, Cato retains responsibility for the underlying Cato Cloud infrastructure, upgrading, patching, or otherwise maintaining Cato software or hardware.   What’s the Right Way for You?  Why so many ways to network management? Because there’s no right way, there’s only your way.  Companies, like people, have different needs. In some cases, running the network themselves is a requirement in other cases, though, the last thing the IT manager would like to do is take responsibility for every move and change. Each way has its strengths. With self-service, enterprises realize unsurpassed agility by configuring and troubleshooting the networks themselves, doing in seconds what otherwise required legacy telcos hours or days. For additional assistance, co-management allows customers to rely on ongoing support from Cato or its partners without relinquishing control for overall management.  And, of course, with Cato Hands-Free companies gain the ease of full management, though, they can still make changes themselves, if they want. With Cato, you do get to manage the network your way. And this says nothing about Cato’s wide range of professional and support services.   Management Built for Digital Business   This kind of flexibility is strange for managed network services, which traditionally only offered full management. Telco-managed networks are too cumbersome, too complex to allow companies self-service management of the security and network infrastructure. It requires a network designed from the ground up for the needs of today’s digital business.   And traditionally managed services put restrictions on customers, tying the overlay (SD-WAN or MPLS) to the telco’s underlay (last-mile and backbone services). Requiring use of the telco’s underly left enterprises subject to high costs, limited geographic reach, and protracted deployment times. Such an approach is, again, incompatible with a digital business that looks to be leaner and more agile, particularly as the network must increasingly connect clouds, mobile users, and branch locations situated outside of the telco’s operating area.    Cato Cloud was uniquely designed for the needs of the digital business and not just in how we think about management. Enterprises bring their last-mile access to Cato or procure last-mile services through Cato partners. They then connect to Cato’s global backbone through any local Internet access, freeing them from the lock-in of traditional telco services.  As a globally distributed cloud service, Cato seamlessly connects mobile and cloud resources, without being chained to specific geographical location or physical infrastructure.   With Cato, organizations get the tomatoes and lettuce: the peace of mind of a managed service with the speed and agility of self-service.  And, yes, you Wendy’s lovers, there’s plenty of beef there as well. Cato Hands-free Management and the rest of Cato Managed Services are currently available. For more information about Cato Managed Services visit https://www.catonetworks.com/services  

Mirai Malware Targeting the Enterprise

Mirai is back with a vengeance. The infamous malware that crippled global DNS provider Dyn, French Web host OVH and security journalist Brain Kreb’s Web... Read ›
Mirai Malware Targeting the Enterprise Mirai is back with a vengeance. The infamous malware that crippled global DNS provider Dyn, French Web host OVH and security journalist Brain Kreb’s Web site with botnets of infected home routers, baby monitors and other IoT devices is now infecting enterprise network equipment, according to a recent Palo Alto Networks blog and Network Computing article. Mirai has already shown how much havoc it can wreak. The October 2016 Dyn attack disrupted access to Amazon, Airbnb, Netflix, Spotify Yelp, The Guardian, CNN and scores of other major Web sites and services across Europe and North America. Mirai DDOS attacks also crippled Rutgers University’s network and Internet access across the African country of Liberia. After the initial 2016 attacks, Mirai’s source code found its way online, including GitHub, with third-party variants continuing to cause trouble long after its original perpetrators were arrested. Even More Lethal Mirai seeks out thousands of routers and IoT devices exposed to the Internet and configured with default vendor usernames and passwords, infecting and assembling them into botnets that flood and cripple intended targets with massive volumes of traffic. The current strain adds a host of new infection targets, including enterprise SD-WAN appliances, wireless presentation systems, and digital signage. It has added several new default device usernames and passwords for its brute force IoT device attacks and can infect unpatched and misconfigured devices via other publicly available exploits even if default logins have been changed. Access to copious enterprise bandwidth may enable Mirai to launch even more devastating attacks than before. Protecting your network from infection isn’t rocket science. Inventory all networked IoT devices frequently; change all default login usernames and passwords; and keep IoT devices, firewalls, VPN’s, and anti-malware software up to date with current security patches. Even if you succeed in preventing your network from joining a Mirai botnet, however, you still have to worry about Mirai-induced DDOS attacks. How Cato Protects Your Network Cato helps you counter both Mirai infection by slashing the attack surface. The Cato Sockets are hardened devices with all unnecessary services disabled.  Sockets also only accept traffic from authorized sources. And with SD-WAN appliances, there’s a chance IT will misconfigure and expose them to the Internet; no so with Cato Sockets, which are managed by Cato personnel who enforce secure configuration and updates. Cato also prevents malware, like Mirai, from entering your SD-WAN or spreading across sites with its enterprise-grade network security stack. Cato Security Service currently including a next-generation firewall, secure Web gateway, anti-malware, IPS, and managed threat detection and response. Cato can also counter Mirai induced botnet DDOS attacks with its extensive built-in DDOS sustainability and protection. Cato POPS have been designed with the elasticity and scale to handle massive volumes of traffic, including that of DDOS attacks. They’re also protected with a host of specific anti DDOS measures and can reassign targeted sites to unaffected IP addresses if necessary. Only authorized sites and mobile users can connect and send traffic to the Cato Cloud backbone. No doubt Mirai and attacks like it will continue to gain sophistication, incorporating more networked devices, including those in the enterprise, and adding more exploits. A combination of effective security measures and the inherent security of the Cato Cloud can help keep the beast at bay.

The Co-Managed SD-WAN: A Managed Infrastructure with Self-Service Capabilities for Agility

SD-WAN certainly provides companies with a lot of flexibility, and one aspect of that flexibility is how to manage the networking solution. There are various... Read ›
The Co-Managed SD-WAN: A Managed Infrastructure with Self-Service Capabilities for Agility SD-WAN certainly provides companies with a lot of flexibility, and one aspect of that flexibility is how to manage the networking solution. There are various management models that differ in the degree of responsibility assumed by the enterprise or its chosen service provider in terms of infrastructure maintenance, continuous monitoring, and change management. One management model is the Do it yourself (DIY) approach, which has long been popular with enterprises that purchase and deploy the SD-WAN appliances themselves. Typically, they have the in-house expertise to manage their existing wide area network and feel comfortable adapting to the new technologies of the SD-WAN. The enterprise assumes the responsibility for maintaining the underlying infrastructure such as the SD-WAN appliances, routers or data centers, as well as the ongoing monitoring of the SD-WAN and changes that must be made to the configuration. The DIY approach is resource-intensive and requires a high level of expertise within the enterprise. At the opposite end of the spectrum is the management model of a fully managed service where the preferred provider is responsible for everything. It’s basically a turnkey solution where the managed service provider (MSP) maintains all the infrastructure, monitors the network for issues, and performs any move/add/change requests. This model is ideal for companies that don’t have the in-house expertise or that don’t want to retrain or re-skill their employees to manage the new networking approach. However, the enterprise is also highly dependent on the responsiveness of the MSP. The Challenges of the DIY Approach When a company opts to go the DIY route, it enjoys the freedom of choosing how things are done, including which SD-WAN appliances are used, what transports are utilized, and how everything is managed. While choice is good, there are three common problems with DIY SD-WAN: When a variety of Internet connections are used, there is no carrier-grade backbone service that is fully backed with a service level agreement (SLA) to protect against latency and unpredictability. Internet connections are notoriously unpredictable and can fluctuate too much to sustain critical traffic such as voice and video. Along with the SD-WAN, security is also DIY. Security is often added to the solution via service-insertion or service-chaining. Branches that have their own direct connection to the Internet will require a full stack of security services, including next-generation firewall, intrusion detection/intrusion prevention, sandboxing, and so on. What’s more, patching, upgrades and capacity planning – now for many locations – needs to keep pace with increasing traffic loads and a growing threat landscape. Then, too, there are integration challenges. For example, the missing components that a service provider can provide, such as security services and an SLA-backed network backbone, are significant gaps in the solution. Moreover, SD-WAN appliances don’t address the needs of mobile users and are inherently unsuitable for native cloud applications. Bolting on such services and capabilities create integration challenges, even for a knowledgeable and skilled IT team. The Challenges of Carrier-Managed SD-WAN It might sound good to outsource SD-WAN management to an MSP and let them deal with everything, but that doesn’t mean there aren’t problems for the enterprise in this model: All that resource-intensive service has a cost associated with it, and it could be enough to offset the savings from using SD-WAN in the first place. There is certainly a loss of agility when the enterprise has to depend on a third party to do everything. The network and security services are managed by the MSP, and the customer must rely on the support services for adds/moves/changes. Even simple changes, like a firewall rule, could take days to be completed. Choosing the wrong MSP could put an enterprise in a bind. Not all service providers have a reputation for exceptional service, and making a commitment to one MSP could mean paying for a service that isn’t necessarily good service. Sharing Management Responsibilities Of course, there’s another way to go about this. The enterprise and the MSP can share the SD-WAN management responsibilities. This allows the enterprise to see the benefits of both appliance and managed SD-WAN solutions without the drawbacks. In the co-managed services model, the enterprise can enjoy self-service for things like applications and security policies, while the service provider takes care of infrastructure maintenance. The two organizations also may choose to share the tasks of continuous monitoring of the network and the change management aspect of administration. Thus, either the enterprise or the service provider can fulfill move/add/change requests for networking services. There is a flavor of the co-managed SD-WAN in which most SD-WAN and network security capabilities move from appliances on the customer premises into a core network in the cloud. The SD-WAN as-a-service provider maintains the underlying shared infrastructure – the servers, storage, network infrastructure, and software – and all are hosted on a carrier-grade network backed by strong SLAs. A full security stack is embedded within the network such that all traffic – from every location and every user – passes through security at all times. Meanwhile, enterprises have the ability to modify, configure, and manage their SD-WAN as if they ran on their own dedicated equipment. Enterprises gain the best of both worlds of low-cost shared infrastructure and the flexibility and performance of dedicated devices. With a co-managed solution, security can scale as necessary, anywhere, eliminating the limitations of location-bound appliances. New features are instantly available to every site, user, or cloud resource connecting to the SD-WAN service with the customer in control of changes the business requires. Technology has shifted, and businesses require an agile WAN infrastructure with the ability to roll out sites in days, not weeks or months. The WAN is transforming into a resource that connects mobile, SaaS, IaaS, and offices that require more than simple connectivity. Intelligence, reach, optimization, and security are attributes the WAN needs today, and a co-managed SD-WAN as a service solution brings all the advantages of SD-WAN into one solution.

New Research Documents How Traditional Telco Services Cripple Digital Transformation

How are digital business transformation projects impacting enterprise networks? To answer that question, we asked more than 1,600 IT professionals worldwide. The report, Telcos and the Future of the WAN in... Read ›
New Research Documents How Traditional Telco Services Cripple Digital Transformation How are digital business transformation projects impacting enterprise networks? To answer that question, we asked more than 1,600 IT professionals worldwide. The report, Telcos and the Future of the WAN in 2019 focuses on those 432 who purchase telco services for organizations with MPLS backbones.   Repeatedly we heard that SD-WAN continues to serve as the basis of their digital transformation efforts. No surprise there. What’s perhaps more interesting, though, is the shift towards managed services. The need for predictable delivery across the global network to site, cloud resources, and mobile users while at the same time developing a security architecture that can accommodate local Internet access is pushing many companies to turn to managed SD-WAN services. The traditional source of those services, the telcos, inadequately address customer expectations around speed, agility, and overall value.   SD-WAN: It’s Not Just about Costs  Since SD-WAN burst onto the market, cost savings have been routinely cited as the reason for deploying the technology. Yes, SD-WAN can take advantage of affordable Internet connectivity to reduce network spend but there are many other advantages, namely agility and improved cloud performance, that also come with SD-WAN.   Respondents echoed similar results in this year’s survey.  Only a third of respondents indicated that their motivation for purchasing SD-WAN was to address excessive WAN-related costs.  The other motives? The highest ranked ones involved improving Internet access (46%), followed by the need for additional bandwidth (39%) and improved last-mile availability (38%).  WAN Transformation is the New Normal  No surprise then that more companies should be adopting SD-WAN as the basis of WAN transformation. In fact, the percent of organizations transforming their WAN has grown considerably since our last survey. Nearly half of respondents (44%) indicated that they had or were considering deploying SD-WAN. Last year the number was just over a quarter of respondents.   With that said, digital transformation puts requirements on the network that exceed the capabilities of SD-WAN. The overwhelming majority of respondents (85%) indicated they would be confronting networking use cases in 2019 that are ignored or out-of-step with SD-WAN technology.   Security is a case in point. SD-WAN alone says nothing about defending the company edge. Half of the respondents will need to provide secure Internet access from any location with the biggest security challenges being defending against malware/ransomware (70%) and enforcing corporate security policies on mobile users (49%). All of which is out-of-scope for SD-WAN alone. Taming those security challenges is critical for SD-WAN to improve cloud performance and reduce network costs.   Managed Services Will Be Essential for WAN Transformation  With so many components and complexities, most respondents (75%) are turning to service providers for their SD-WAN design and deployment.  Providers are generally better equipped to integrate SD-WAN with other technologies to address broader IT challenges.  Legacy telcos are the de facto source for managed SD-WAN services but not the preferred ones.  Respondents remain overwhelmingly dissatisfied with telco agility, velocity, and support:  Respondents gave telcos a 54 (out of 100) when asked if they thought network service pricing was fair.   On overall experience, telcos scored lower (3.33 out of 5) than cloud application providers (3.70) and cloud datacenter providers (3.71).   Only 2% of respondents indicated that telcos exceeded their expectations in delivering new features and enhancements.  Day-to-day network operations prove difficult with traditional telco services. Nearly half (46%) of respondents reported that moves, adds, and changes (MACs) require at least one business day (8 hours or more). Nearly three-quarters of respondents indicated that deploying new locations required three or more business weeks.   Managed Service Blended with Cloud Attributes  There remains a strong interest in network services with cloud attributes of agility and self-service. Flexible management models are essential to this story. More specifically,  71% of respondents indicated that telcos take too long to resolve problems.  48% complained about the lack of visibility into telco services   80% preferred self-service or co-management models instead of full management model required by traditional telcos.   It's why we believe so strongly that managed SD-WAN services must use a cloud-native architecture. To learn more about cloud-native networks and the results of that research, download  Telcos and the Future of the WAN in 2019.   

How SD-WAN Overcomes Last Mile Constraints

As more businesses require 24/7 uptime of their networks, they can’t afford to “put all their eggs in one basket.” Even MPLS with it’s vaunted... Read ›
How SD-WAN Overcomes Last Mile Constraints As more businesses require 24/7 uptime of their networks, they can't afford to "put all their eggs in one basket." Even MPLS with it’s vaunted “5 9s” SLA, has struggled with last-mile availability. SD-WAN offers a way forward that significantly improves last-mile uptime without appreciably increasing costs. Early Attempts To Solve The Problem Initial efforts to solve the problems and limitations of the last mile had limited success. To improve overall site availability, network managers would pair an MPLS connection with a backup Internet connection, effectively wasting the capacity of the Internet backup. A failover also meant all the current sessions would be lost and typically the failover process and timeframe was less than ideal. Another early attempt was link-bonding which aggregates multiple last-mile transport services. This improved last mile bandwidth and redundancy but didn't create any benefits for the middle mile bandwidth. Functioning at the link layer, link-bonding is not itself software-defined networking, but the concept of combining multiple transports paved the way for SD-WAN that has proven itself to be a solution for today's digital transformation. How The Problem is Solved Today Building off the concept from link-bonding to combine multiple transports and transport types, SD-WAN improves on the concept by moving the functionality up the stack. SD-WAN aggregates last-mile services, representing them as a single pipe to the application. The SD-WAN is responsible for compensating for differences in line quality, prioritizing access to the services and addressing other issues when aggregating different types of lines. With Cato, we optimize the last mile using several techniques such as policy-based routing, hybrid WAN support, active/active links, packet loss mitigation, and QoS (upstream and downstream). Cato is able to optimize traffic on the last mile, but also on the middle mile which provides end-to-end optimization to maximize throughput on the entire path. The need for high availability, high bandwidth, and performance is achieved by enabling customers to prioritize traffic by application type and link quality, and dynamically assign the most appropriate link to an application. The Cato Socket is a zero-touch SD-WAN device deployed at physical locations. Cato Socket uses multiple Internet links in an active/active configuration to maximize capacity, supports 4G/LTE link for failover, and applies the respective traffic optimizations and packet-loss elimination algorithms. Willem-Jan Herckenrath, Manager ICT for Alewijnse, describes how Cato Cloud addressed his company's network requirements with a single platform: “We successfully replaced our MPLS last-mile links with Internet links while maintaining the quality of our high definition video conferencing system and our Citrix platform for 2D and 3D CAD across the company.” SD-WAN Leads The Way The features and capabilities of Cato Cloud empower organizations to break free from the constraints of MPLS and Internet-based connectivity last mile challenges and opens up possibilities for improved availability, agility, security, and visibility. Bandwidth hungry applications and migrations to the Cloud have created a WAN transformation revolution with SD-WAN leading the way.

NFV is Out of Sync with the Cloud-Native Movement. Here’s a Solution

Like many other telecommunications companies that provide networking services, the Canadian national telco company Telus has ambitious goals for network functions virtualization (NFV) and digital... Read ›
NFV is Out of Sync with the Cloud-Native Movement. Here’s a Solution Like many other telecommunications companies that provide networking services, the Canadian national telco company Telus has ambitious goals for network functions virtualization (NFV) and digital transformation. However, at the Digital World Transformation 2018 event last year, Telus CTO Ibrahim Gedeon voiced his opinion that network functions virtualization (NFV) had yet to live up to the original expectations and that exorbitant software licensing costs are undermining the NFV business case.  NFV was supposed to revolutionize the telecom business, allowing operators to separate hardware from software and become more efficient companies. What Telus has learned, according to Gedeon, is that the anticipated cost savings of NFV aren’t there. He says the high software licensing costs and maintenance charges eat into the expected cost savings. What’s more, NFV has led to increasing complexity for the Telus network, and the company had to increase the size of its operations team to support both the virtualized environment and the legacy appliances. Complexity can stem from having to integrate disparate technologies within the new NFV framework similar to the old model. Bryce Mitchell, Director of the NFV, Cloud & National Innovation Labs at Telus, echoed Gedeon’s comments at Light Reading's NFV and carrier SDN conference. In a speech, Mitchell pointed out that  network service providers are spending too much time and effort testing, validating and deploying the third-party VNFs, and none of those tasks are really automatable. He also cited problems of integrating the process of spinning up VNFs with the telco’s back-end billing and provisioning systems or into the company’s OSS management systems. Mitchell believes the full value of NFV won’t be achieved until these services are developed in an API-driven, cloud-native fashion. The VNF approach is fundamentally flawed Telus’s experiences aren't unique. Numerous implementers and industry experts are realizing the limitations of NFV. (For a complete list of NFV problems, see here.)  The approach is fundamentally flawed because NFV is a simply repacking the same paradigm it was trying to displace. We’re still thinking about managing complex services as appliances, albeit as software rather than hardware appliances. Thus, despite the industry hype, NFV will largely look like the managed or hosted firewalls and other devices of the past, with some incremental benefits from using virtual instead of physical appliances. Customers will end up paying for all the appliance licenses they use, and they will still need to size their environment so they don’t over- or under-budget for their planned traffic growth. From a managed service perspective, offering to support every single VNF vendor’s proprietary management is an operational nightmare and a costly endeavor. One thing that’s lacking is an effective orchestration framework that manages the deployment of the network functions. As the Telus people acknowledged, more, not fewer, people are needed to simultaneously support the complexity of virtualization along with the legacy technologies. Ultimately, if NFV doesn’t allow network service providers to reduce their infrastructure, management, and licensing costs, customers will not improve their total cost of ownership (TCO), and adoption will be slow. Bust the paradigm with cloudification of the functions How do we bust the appliance paradigm? By hosting the services that have traditionally been appliances as Network Cloud Functions (NCFs) to form a cloud-native software stack. Unlike VNFs, NCFs are natively built for cloud delivery. These may be any network function, such as SD-WAN, firewalls, IPS/IDS, secure web gateways and routers. Instead of separate “black box” VNF appliances, the functions are converged into a multi-tenant cloud-based software stack. Rather than having separate VNFs for each customer, the NCFs support multiple customers; for example, one firewall for all customers on the cloud, rather than a separate firewall for each customer. However, NCFs are configurable for each customer, either on a self-service basis or as a managed service, through a single cloud-based console.   The Network Cloud Functions approach is much more manageable than the Network Functions Virtualization approach. When a function like a firewall needs to be updated, it is updated once for the entire network and it’s done. When a firewall is deployed as a separate VNF on numerous customers’ networks, each one needs to be updated individually. This greatly reduces the operational challenges of NFV that are proving to bog down the network service providers. NCFs promise simplification, speed and cost reduction. In some cases, these benefits come at a reduced vendor choice. It’s for the enterprise to decide if the benefits of NCFs are greater than the cost, complexity, and skills needed to sustain NFV-based, or on-premises networking and security infrastructure.

How SD-WAN Provided an Alternative to MPLS – A Case Study

What’s transitioning like to SD-WAN? Ask Nick Dell. The IT manager at a leading automotive components manufacturer recently shared his experience transitioning his company from... Read ›
How SD-WAN Provided an Alternative to MPLS – A Case Study What’s transitioning like to SD-WAN? Ask Nick Dell. The IT manager at a leading automotive components manufacturer recently shared his experience transitioning his company from MPLS to Cato SD-WAN. During the webinar, we spoke about the reasons behind the decision, the differences between carrier-managed SD-WAN services and cloud-based SD-WAN, and insights he gained from his experience. Dell’s company has been in business for over 60 years and employs 2,000 people located across nine locations. Manufacturing plants needed non-stop network connectivity to ensure delivery to Ford, Toyota, GM, FCA, Tesla, and Volkswagen. Critical applications included cloud ERP and VoIP. Before moving to SD-WAN, the company used an MPLS provider that managed everything. The carrier provided a comprehensive solution to address the critical uptime requirements by having three cloud firewalls at each datacenter, and an LTE wireless backup at each location. When they signed the agreement with the MPLS provider, the solution seemed to be exactly what they needed to support their applications and uptime requirements. However, they quickly discovered problems with the MPLS solution that were impacting the business. The Catalyst to Make a Change Dell noticed a few challenges with the MPLS service: #1 Bandwidth — Usage would peak at certain times and the provider’s QoS configuration didn’t work properly. Nick wanted to add bandwidth, but for some sites, the MPLS provider offered only limited or no fiber connections. For example, the MPLS provider would say fiber is not available at a certain site, but the local LEC delivered the T1s using fiber. #2  Internet Configuration Failures — The company also wanted to give OEM partners access the cloud ERP system,  but the MPLS provider was unable to successfully configure Internet-based VPNs for the partners. Internet failover also did not work as promised. When sites would fail, not all components would switchover properly, creating failures in application delivery. #3 Authentication Failures —  The user authentication functionality provided by the MPLS provider was supposed to help when users would move their laptops or other endpoints from wired to wireless connections. However, the authentication process often failed, leaving users without Internet access. Only after two years did the provider propose a solution - software that would cost $5,000 and require installing agents on all the laptops. These issues manifested themselves in day-to-day operations. Someone sending an email with a large attachment would cause the ERP system to be slow to respond, which in turn caused delays in getting shipments out. Dell and other leadership knew it was time for a change. They needed high availability Internet with more bandwidth that worked as designed. Moreover, they wanted a provider that would work in a partner relationship that could deliver 100% Internet uptime, fiber to all locations, provide a lower cost solution, and include all-in-one security. The SD-WAN Options on the Table Dell investigated three SD-WAN scenarios to replace the MPLS network. Carrier Managed SD-WAN Appliance-based SD-WAN Cloud-based SD-WAN Moving to SD-WAN with the same carrier they were using for MPLS seemed like an easy move, but Dell was not inclined to deal with some of the same issues of poor service, and a “ticket-taker” attitude rather than problem-solving. The carrier also couldn’t guarantee a 4-hour replacement window for the SD-WAN hardware. The appliance-based SD-WAN solution would free them from the carrier issues, and ownership and management of the solution would fall to Dell and his team. The upfront costs were high, and security was not built-in to the solution. Dell also looked into other Cloud-based SD-WAN providers, but because of their size, the provider wanted to put them with an MSP where SD-WAN is not their core business. The solution didn’t provide full security so they would need to buy additional security appliances. The provider could also not guarantee a 4-hour response time to replace failed hardware. Why Cato With the Cato Cloud solution, Dell is able to choose any ISP available at each location and now have fiber at all locations with 5-20x more bandwidth than before. This has allowed them to have more redundancy to the Internet and High Availability (HA) – with both lines and appliances - at every location. The bandwidth constraints are gone and QoS actually works. When there is downtime, the failover process works as expected. Describing the deployment experience as fast and easy, Dell only needed a 30-minute lunch break to cut over one location that previously was one of the most troublesome with outages and backup issues. One of the driving factors that convinced Dell to go with Cato was the support, which he describes as “transparent and quick to resolve” issues. “They really listen to us, they really want to solve our problems,” says Dell. He was also pleasantly surprised that Cato was the only vendor of all the solutions they investigated that didn’t try to cash-in on an HA solution with a recurring fee. Dell demonstrated his ROI on the Cato solution in a few ways. Bandwidth has increased significantly, the increased network visibility lets him troubleshoot faster, security is integrated, and at the same time, overall costs have decreased by 25%.  Users satisfaction is also down. Users are less frustrated because they’re no longer "being blocked from websites,” he says. As for IT, well, they’re also less frustration because dealing with support and opening tickets is, as Nick put it, “...so easy now.”

4 Real World Challenges in Enterprise Networking & How SD-WAN Can Solve Them

Even though an enterprise network is considered the lifeline of an organization, there are certain challenges that have limited the efficiency of the enterprise networks.... Read ›
4 Real World Challenges in Enterprise Networking & How SD-WAN Can Solve Them Even though an enterprise network is considered the lifeline of an organization, there are certain challenges that have limited the efficiency of the enterprise networks. Malware threats, limited data replication performance, network availability, sluggish network connectivity  — all are challenges that can have an immediate impact on the business. Here’s how to address them. 1. Ransomware, Malware, and BYOD Enterprise networks are affected by different types of security challenges. The usual culprits include ransomware, malware, ill-considered BYOD (Bring Your Own Device) strategies,  and vulnerable protocols. Ransomware makes use of backdoor entry predominantly, compromising the network security as well as the data security. With small branch offices often lax in their security policies, they become a favorite entry port for all too many attackers. Personal mobile devices are another critical entry point. The adoption of BYOD practices by organizations means IT needs to take care when allowing personal device access to the network. Otherwise, malware, perhaps unknowingly, brought into the organization could move laterally across the network and infect computers in other locations. Apart from this, there are certain network protocols which are vulnerable to network attacks. Communication protocols like SSH, RDP HTTP are good targets for network attacks, through which an attacker can gain access to the network. Let’s take the example of SSH. A typically large enterprise with 10,000+ servers could have more than one million SSH keys. Lack of proper key management techniques can impact how employees rotate or redistribute their keys which on its own is a security risk. Moreover, SSH keys that are embedded directly into the code are hardly rotated which can open backdoors for hackers if a vulnerability exists. RDP has had a history of vulnerabilities since it was released. Since at least 2002 there have been 20 Microsoft security updates specifically related to RDP and at least 24 separate CVEs. 2. Enterprise Data Replication & Bandwidth Utilization Data replication is an important aspect of data storage, ensuring data security. Modern enterprise architecture also comprises multi-level data tiered storage for creating a redundant and reliable backup. However, data replication is subjected to higher usage of network bandwidth. As large chunks of data are transferred over a network for replication, they consume a major proportion of network bandwidth, ultimately causing network bottleneck. This can severely impact network performance. 3. Network Performance Network performance is critical as far as an enterprise is concerned. The network performance can be segregated into network speed and network reliability. Both of them are key performance parameters for an enterprise network. If an enterprise network becomes unstable with higher downtime, then it will impact the overall performance of an enterprise network. Moreover, in case of an unscheduled outage, the break-fix solution might include replacement of legacy devices or failed devices. This costs both, time and resources. It impacts productivity as well. WAN outages have been one of the top contributors that negatively impact the productivity of enterprise networks. 4. Complexity and Connectivity to Cloud Today, the majority of the organizations have connected their enterprise networks to the cloud and often to multiple clouds. However, multi-cloud architectures pose certain challenges for the enterprise network. It will be a challenge to manage the different providers and apply an integrated security standard to all the providers. At the same time, it will be difficult to strike a proper balance between on and off-premises environments. This includes the challenge of deriving a perfect model that can connect on-premise datacenters to the cloud. An enterprise network can deliver a better performance with reliability if the on-premise environment and off-premise environment is perfectly balanced. This should be defined by a proper cloud strategy of an organization. Software Defined WAN Solution Most of the challenges faced by the enterprise network could be effectively solved with the implementation of software-defined WAN (SD-WAN), based on software-defined networking (SDN) concepts. SD-WAN for enhanced network security SD-WAN presents new security features with service chaining that can work with the existing security infrastructure. Cato has integrated foundational security policies to curb issues pertaining to malware, ransomware, and vulnerable protocols. Security policies can also be set for the entire network from Cato’s management console, making updating and enforcing security that much easier. Enterprises that require higher security measures can use the advanced security and network optimization functions that run within the Cato Cloud. SD-WAN for enhanced network performance SD-WAN uses the internet to create secure, high-performance connections, that eliminates most of the obstacles pertaining to MPLS networks. SD-WAN can work alongside WAN optimization techniques that can offer MPLS-like latency while routing the data across the network, resulting in better performance. Cato, for instance, offers a unique multi-segment optimization that addresses performance issues at a fraction of the cost of MPLS and traditional WAN optimization. The performance benefits offered by SD-WAN include WAN Virtualization and Network-as-a-Service. Network-as-a-Service allows the organization to use internet connections for optimized bandwidth usage. SD-WAN for data replication and disaster recovery With SD-WAN in place, enterprises have more choices in terms of data replication and disaster recovery. Rather than a tape-based backup, datacenters can move to a WAN-based data transfer and replication. The usual WAN challenges like high latency, packet loss, bandwidth limitations, and congestion can be solved with the help of SD-WAN with an affordable MPLS alternative that offers fast, reliable and affordable data transfer between datacenters. In this post, we’ve covered some of the real world challenges that are common in enterprise networking. This includes problems with security, connectivity, performance, replication, and connectivity to the cloud. However, with the help of SD-WAN and related technologies, modern businesses can make their networks more efficient, reliable and secure without having to rely on expensive MPLS optimizations.

The Cloud-Native Network: What It Means and Why It Matters

It’s no secret that CIOs want their networks to be more agile, better able to accommodate new requirements of the digital business. SD-WAN has made... Read ›
The Cloud-Native Network: What It Means and Why It Matters It’s no secret that CIOs want their networks to be more agile, better able to accommodate new requirements of the digital business. SD-WAN has made significant advancements in that regard. And, yet, it’s also equally clear that SD-WAN alone cannot futureproof enterprise networks. Mobile users, cloud resources, security services — all are critical to the digital business and yet none are native to SD-WAN. Companies must invest in additional infrastructure for those capabilities. Skilled security and networking talent are still needed to run those networks, expertise that’s often in short supply. Operational costs, headaches, and delays are incurred when upgrading and maintaining security and networking appliances. Outsourcing networking to a telco managed network service does not solve the problem. Capital, staffing, and operational costs continue to exist, only now marked-up and charged back to the customer. And, to make matters worse, enterprises lose visibility into and control over the traffic traversing the managed network services. How then can you prepare your network for the digital business of today — and tomorrow? Cloud-native networks offer a way forward. Like cloud-native application development, cloud-native networks run the bulk of their route calculation, policy-enforcement, and security inspections  — the guts of the network — on a purpose-built software platform designed to take advantage of the cloud’s attributes. The software platform is multitenant by design operating on off-the-shelf servers capable of breakthrough performance previously only possible with custom hardware. Eliminating proprietary appliances changes the technical, operational, and fiscal characteristics of enterprise networks. 5 Attributes of Cloud-Native Network Services To better understand their impact, consider the five attributes a provider’s software and networking platform must meet to be considered cloud-native: multitenancy, scalability, velocity, efficiency, and ubiquity. Multitenancy With cloud-native networks, customers share the underlying infrastructure with the necessary abstraction to provide each with a private network experience. The provider is responsible for maintaining and scaling the underlying infrastructure. Like cloud compute and storage, cloud-native networks have no idle appliances; multitenancy allows providers to maximize their underlying infrastructure. Scalability As cloud services, cloud-native networks carry no practical scaling limitation. The platform accommodates new traffic loads or new requirements. The software stack can instantly take advantage of additional compute, storage, memory, or networking resources. As such, enabling compute-intensive features, such as SSL decryption, does not impact service functionality. Velocity By developing their own software platforms, cloud-native network providers can rapidly innovate, making new features and capabilities instantly available. All customers across all regions benefit from the most current feature set. Troubleshooting takes less time since support and platform development teams are bound together. And as the core functionality is in software, cloud-native networks can expand to new regions in hours and days not months. Efficiency Cloud-native network design promote efficiency that lead to higher network quality at lower costs. Platform ownership reduces third-party license fees, and nominal support costs. Leveraging the massive build-out of IP infrastructure avoids the costs telcos incurred constructing and maintaining physical transmission networks. A smart, software overlay, monitors the underlying network providers and selects the optimum one for each packet. The result: carrier-grade network at an unmatched price/performance. Ubiquity Like today’s digital business, the enterprise network must be available everywhere, accessible from many edges supporting physical, cloud, and mobile resources. Features parity across regions is critical for maximum efficiency. Access to the cloud-native network should be using physical and virtual appliances, mobile clients, and third-party IPsec compatible edges. This way, truly one network can connect any resource, anywhere. A Revolutionary, Not Evolutionary, Shift in Networking By meeting all five criteria, cloud-native networks avoid the cost overhead and stagnant process of traditional service providers. Such benefits cannot be gained by merely porting software or hosting an appliance in the cloud. It’s a network that must be built with the DNA of cloud service from scratch. In this, cloud-native networks are a revolution in network architecture and design.

Standard Insurance Transforms WAN with Cato Cloud to Win ICMG Award For Best IT Infrastructure Architecture

It’s always great to see a winning customer implementation;  it’s even better when others see it too. We just announced that a customer of ours,... Read ›
Standard Insurance Transforms WAN with Cato Cloud to Win ICMG Award For Best IT Infrastructure Architecture It’s always great to see a winning customer implementation;  it’s even better when others see it too. We just announced that a customer of ours, Standard Insurance Co.,  has won an ICMG Architecture Excellence Awards for its digital transformation initiative. Kudos to the entire Standard Insurance IT team. “The cost of the total solution Cato is providing us – including the centralized management, cloud-based monitoring, and reports – matches the cost of the firewall appliances alone. But with appliances, we would still need to add the cost of appliance management, the advanced protection,  and other firewall components,” says Alf Dela Cruz, head of infrastructure and cybersecurity at Standard Insurance. [caption id="attachment_6229" align="aligncenter" width="772"] Standard Insurance's digital transformation was so effective it won an ICMG award for architectural excellence[/caption] The ICMG Architecture Excellence Awards is a vendor-independent, global competition benchmarking enterprise and IT architecture capabilities. Nominations are submitted by IT teams worldwide and evaluated by a select group of judges. Winning submissions include companies such as Credit Suisse, L’Oreal, and Unisys. Back in 2016, Standard Insurance’s CEO initiated a multiyear digital transformation initiative emphasizing the importance of online insurance selling. As part of that effort, the company needed to upgrade its backend infrastructure, changing its core insurance software and migrating from a private datacenter to AWS. Standard Insurance needed an enterprise network optimized for the hybrid cloud and with strong protection for Internet-borne threats. After two ransomware incidents, the CEO demanded a dramatically improved security posture. Cato connected the company’s 60 branches, the headquarters in Makati, Philippines,  and the company’s AWS instance into Cato Cloud. Branch firewall appliances were replaced with Cato Security Services, a tightly integrated suite of cloud-native services built into Cato Cloud that include next-generation firewall (NGFW), secure web gateway (SWG), URL filtering, and malware prevention. [caption id="attachment_6243" align="aligncenter" width="793"] With Cato, Standard Insurance eliminated branch firewalls and connected 60 branches and AWS into one, seamless network[/caption] So effective was the implementation that Dela Cruz now encourages others to migrate to Cato. “We are recommending Cato to our business partners,” says Dela Cruz. “We love that the solution is cloud-based, easy to manage, and less expensive than other options.” To read more about Standard Insurance’s implementation click here.

How To Best Design Your WAN for Accessing AWS, Azure, and the Cloud

In 2014, Gartner analysts wrote a Foundational Report (G00260732, Communication Hubs Improve WAN Performance) providing guidance to customers on deploying communication hubs, or cloud-based network... Read ›
How To Best Design Your WAN for Accessing AWS, Azure, and the Cloud In 2014, Gartner analysts wrote a Foundational Report (G00260732, Communication Hubs Improve WAN Performance) providing guidance to customers on deploying communication hubs, or cloud-based network hubs, outside the enterprise data center. Five years later, that recommendation is more important than ever, as current enterprise computing strategies dictate the need for a modern WAN architecture. What is a communication hub? A communication hub is essentially a datacenter in the cloud, with an emphasis on connectivity to other communication hubs, cloud data centers, and cloud applications. Hubs house racks of switching equipment in major colocation datacenters around the world, and together they form a series of regional Points of Presence (PoPs). These PoPs are interconnected with high-capacity, low-latency circuits that create a high-performance core network. Communication hubs also have peering relationships with public cloud data centers such as those from Amazon, Microsoft and Google, and major cloud applications from Microsoft, NetSuite, Salesforce and more. This helps deliver predictable network performance. At the edge of this network, customers can connect their branch locations, corporate data centers, mobile and remote users to the core network via their preferred carrier services (MPLS, broadband, LTE, etc.) using secure tunnels. Each entity connects to the communication hub nearest them to reduce latency. Communication hubs also host regionalized security stacks so that traffic going to/coming from the Internet and external clouds can be inspected thoroughly for threats. This eliminates or vastly reduces the need for customer locations to host security appliances of their own. The need for communication hubs, and the benefits they provide According to the Gartner report, the primary reasons for developing a WAN architecture based on communication hubs are the same reasons Cato has been articulating for years:   Cloud services are responsible for moving more applications out of the corporate datacenter and onto IaaS and SaaS platforms. This need to send traffic directly into the cloud requires the core WAN backbone based on the hubs to become the new corporate LAN. An increasing number of mobile users needing access to enterprise applications want a high-quality user experience, without the latency of backhauling their traffic to a corporate data center. Voice and video traffic is on the rise, and it requires high bandwidth, low latency transport. Also, companies need the ability to prioritize certain types of traffic across the WAN.   We would add to this list the need to distribute security to the regional locations close to where the users are, without having to have hardware appliances in the branches. The Gartner report notes that creating a WAN backbone architecture based on communication hubs connected with high-speed links provides many benefits to the enterprise, including:   Minimize Network Latency — This type of architecture ensures the fastest network path between an enterprise's strategic sites, which include data centers, branch locations, cloud providers and a large population of the enterprise's customer base. Keep Traffic Regionalized — Minimize the backhauling of traffic into a corporate datacenter when it has to go from the enterprise network to the Internet, or for audio/Web/video collaboration. Utilize Ethernet for Cloud Connectivity — Cloud services can be accessed via private connectivity via Ethernet and MPLS, providing more predictable performance. Provide On-Demand Flexibility — Easily and quickly modify bandwidth as business needs change by provisioning new circuits within days via self-service. Cato Cloud is the ultimate network of communication hubs From the very beginning, Cato’s unique vision has been very similar to the WAN architecture described in Gartner’s report. Cato has built a global network of PoPs – our term for “communication hubs” – where each PoP runs an integrated network and security stack. At this writing, there are more than 40 PoPs covering virtually all regions of the world. Our goal is to place a PoP within 25 milliseconds of wherever businesses work. The PoPs are interconnected with multiple tier-1 carriers that provide SLAs around long-haul latency and packet loss, forming a speedy and robust core network. The PoP software selects the best route for each packet across those carriers, ensuring maximum uptime and best end-to-end performance. The design offers an immediate improvement in network quality over the unpredictable Internet links at a significant cost reduction over MPLS. All customer entities connect to the Cato Cloud backbone using secure tunnels that can be done in a couple of ways. Cato can establish an IPsec tunnel from customers’ existing equipment such as a firewall in a datacenter or branch location. A second way is to use a Cato Socket, a zero touch SD-WAN device to manage traffic across the last mile from a branch office. Mobile users can connect via a Cato Client on their device. Thus, every customer location and user can connect easily and securely to the WAN. Cato applies a layer of optimization at the cloud, for both cloud data centers and cloud applications. For cloud applications, Cato can set egress points on its global network to get the Internet traffic for specific apps to exit at the Cato PoP closest to the customer’s instance of that app; for example, for Office 365. For cloud data centers, the Cato PoPs co-locate data centers directly connected to the Internet exchange points as the leading IaaS providers such as AWS and Azure. Cato is dropping the traffic right in the cloud’s data center, the same way a premium connection like Direct Connect and ExpressRoute would. These services are no longer needed when using Cato Cloud. In short, Cato’s unique multi-segment acceleration combines both edge and global backbone and allows Cato to maximize throughput end-to-end to both WAN and cloud destinations. This is the crux of the argument for communication hubs. Security is an integral component of Cato’s global network. Convergence of the networking and security pillars into a single platform enables Cato to collapse multiple security solutions such as a next-generation firewall, secure web gateway, anti-malware, and IPS into a cloud service that enforces a unified policy across all corporate locations, users and data. Cato’s holistic approach to security is found everywhere throughout the Cato Cloud platform. Communication hubs provide a flexible WAN architecture with significant benefits. Companies can choose to build their own network of hubs at great expense, or they can plug into the Cato Cloud and enjoy all the benefits of a modern WAN from day one.

SD-Wan Consideration Factors for Global Companies

For global companies still operating with a legacy WAN architecture, WAN modernization is mandatory today for a variety of reasons. For example, digital transformation is... Read ›
SD-Wan Consideration Factors for Global Companies For global companies still operating with a legacy WAN architecture, WAN modernization is mandatory today for a variety of reasons. For example, digital transformation is based on business speed, and the lack of network agility can hold an organization back. A company that has to wait months to install networking equipment in order to open a new location might miss a fleeting business opportunity. Many businesses have spent millions of dollars increasing their level of application and computer agility through the use of cloud resources, and now it’s time to update the network with a software-defined WAN. When it comes to modern cloud-based applications, a poor network will result in a poor experience. “SD-WAN” is a very broad category. Architectures can vary greatly from one vendor to another, and one service provider to another. CPE (customer premise equipment), broadband transport, security, and other factors can be quite different from one provider to another. If a company chooses the wrong SD-WAN, it can be detrimental to the business. Global companies have unique networking needs. Workers across far-flung locations around the world often need to communicate and collaborate. For example, product developers in the U.S. need to confer in real-time with managers in manufacturing plants in Asia. Architects in Europe need to send blueprints to builders in South America. These routine work activities place special demands on the network pertaining to bandwidth, response times and data security. We asked Zeus Kerravala, Principal Analyst with ZK Research, to outline his set of SD-WAN considerations for global companies. According to Kerravala, the choice of network is critically important for companies with locations across the globe. He explains the importance of considering Internet transport for global connections, managing CPE, and securing branch offices. WAN transport considerations Many SD-WAN solutions are big proponents of augmenting or replacing MPLS circuits with broadband connectivity, says Kerravala. “Broadband Internet transport is fine for short distances but it can add significant latency in global connections.” He pointed to a chart drawn from his research that demonstrates sample response times of these longer distances using the Internet versus a private network. Sample Average Response Times Internet (seconds) Private Network (seconds) Dubai to Dallas 1.185 0.375 Dubai to London 4.24 0.19 Frankfurt to Shanghai 1.99 0.2 San Jose to Shanghai 3.97 0.306 San Jose to Chicago 0.194 0.158   “A lot of these response times have to do with how Internet traffic works. ‘The Internet’ is really a collection of interconnected networks, and it’s difficult to know how your traffic moves around on this system of networks,” says Kerravala. “Various factors can affect Internet response time, such as the time of day, but it’s easy to see that the differences are staggering compared to using a private network. You might look at some of these figures and think that the difference isn’t very much, but if you are moving large packets of data, say for data center replication, it might actually make a difference in how long it takes to perform an activity.” Latency can affect important applications like voice and video. Kerravala points out that there are a lot of SD-WAN vendors, and many of them target different kinds of customers. “The service providers that have their own private backbone are a better fit for global companies because they leverage the benefit of broadband as an on-ramp but it doesn’t become the transport network.” Managing CPE Many SD-WANs require significant CPE and managing them globally is an issue. “It’s expensive and time-consuming for an engineer to visit branch locations around the globe to install firewalls and routers. The process can hold up opening new offices,” says Kerravala. “The traditional model of having the networking equipment on premises is actually getting in the way of businesses. Digital transformation is about agility. If a company is trying to take advantage of some sort of market transition and open up a new office but now they have to wait a couple of months in order to get a box shipped to a certain location and have an engineer hop on a plane, that’s a problem. How you manage the CPE is as important as how you manage the transport.” There’s been a lot of chatter in the industry about NFV (network functions virtualization) or virtual CPE and the ability to take a network function and run it as a virtual workload on some kind of shared appliance. Conceptually, putting a WAN optimizer or a router on some sort of white box server sounds great. “I can take multiple appliances, consolidate them down to one and all of a sudden I have a better model,” says Kerravala. “On the upside, it does lower the cost of hardware. The problem is, it doesn’t really address many of the operational issues. I have replaced physical with virtual and maybe I can deploy it faster because I can remotely install it but operationally, I’m still managing these things independently.” A company that has 100 global offices might have 100 virtual firewalls instead of 100 physical ones, but they still need to be managed independently. Administrators need to worry about firewall rule sets, configuration updates, and software updates. Moreover, the company doesn’t get the same kind of elastic scale that it would get from the cloud. So, the company has addressed half the problem in that its hardware costs are less but they have introduced some new operational challenges. Kerravala calls the lack of hardware scaling capabilities “the dark side of vCPE” that doesn’t get talked about much. He recommends that global companies shift their networking equipment to the cloud to get better scalability and to eliminate the need to maintain equipment locally. “There’s no reason today to not leverage the cloud for as much as possible. We do it in the computing world and the application world and we should do it for the network environment as well,” says Kerravala. “If I’m going to move to this virtualized overlay type of network or some sort of SD-WAN, then a better model is to take my vCPE and push it into the cloud. And so, the functions now exist in your cloud provider and they inherit all the benefits of the cloud—the concept of pay per use and elastic scaling, the ability to spin services up and spin services down as needed. If I want to open a new office, I know I need routing capabilities and a firewall and maybe a VPN. I can just pick those from a menu and then have them turned up almost immediately. So, there’s no infrastructure management needed, there are no firmware updates, there are no software updates. The cloud provider handles all of that. I have a lot more assurance that when I request a change, it is going to propagate across my network at once. I don’t have to manage these things node by node. It can significantly change the operational model.” Security considerations Along with CPE and transport, global companies have to think about security implications as well. For example, securing branch offices independently is complicated and error-prone. Traditional CPE-based security is very rigid and inflexible, and in an era when companies want to do things quickly, it can be a challenge to have to manage security solutions from multiple vendors. The process of keeping rules up-to-date and keeping policies up to date is complicated because not all vendors use the same syntax or follow the same rules. That process for even two vendors is so overly complicated that it’s hardly worth the effort. Say a company has 100 offices and not all of them have been upgraded to the same level of firewall software. The company wants to put in a new security patch, but it might not be possible until all the firewalls have been upgraded. Anyone involved in networking knows that configurations get out of alignment with each other very quickly. vCPE offers some benefits but it really doesn’t change that model. Kerravala explains that the middle mile is not all that secure. “You can protect the edges but that middle mile is where a lot of the threats come from, and so you get inconsistent protection across the organization. This is where thinking about changing the security paradigm by moving a lot of these functions into the cloud makes a lot more sense because now security is almost intrinsic across the entire network. You can protect the edges but you can also protect that middle mile where a lot of the breaches happen today,” he says. In summary Because of the unique needs that global organizations have, they must thoroughly evaluate the architectures of various SD-WANs. Kerravala recommends implementing much of the SD-WAN infrastructure in the cloud to simplify management and operations and to improve security. For more information on this topic, watch the recorded webinar The Practical Blueprint for MPLS to SD-WAN Migration.    

What is OTT SD-WAN?

Companies evaluating which SD-WAN approach is best for them will have to decide between deploying an Over the Top (OTT) SD-WAN or having their SD-WAN... Read ›
What is OTT SD-WAN? Companies evaluating which SD-WAN approach is best for them will have to decide between deploying an Over the Top (OTT) SD-WAN or having their SD-WAN bundled with the underlying network. The decision certainly has a big impact on SD-WAN’s complexity, performance, and affordability. The benefits of OTT SD-WAN OTT SD-WAN is any SD-WAN that operates over third-party network services. Those might be MPLS services or Internet last-mile services, such as DSL, cable, and 4G.  SD-WAN appliances always use an OTT approach unless bundled with a network. The biggest benefit to OTT SD-WAN is the flexibility to select the network provider. Enterprises to can choose whichever ISP or network provider has the best performance for a given location. Where resiliency is a concern, companies can easily work with multiple ISPs to dual-home and diversely route circuits for maximum uptime. The drawbacks of OTT SD-WAN SD-WAN performance across global connections very much depends on the performance of the underlying connectivity. The latency introduced by the long distances of global connections is only exacerbated when traversing the Internet core with its unpredictable and often poor Internet routing. The problem is in the way providers are interconnected and with how global routes are mismanaged—and this is something that is totally out of the control of the OTT SD-WAN provider, the ISPs of the underlying network, and of course, the customer. (Read This is Why the Internet is Broken: a Technical Perspective to learn more.) Long latencies of Internet routing can be quite problematic for applications like voice, video and unified communications. The unpredictable performance poses problems delivering acceptable, professional-grade communications. There are other issues with OTT SD-WAN solutions as well. OTT SD-WAN solutions use of appliances makes them better suited for connecting sites than other enterprise resources. Mobile users are beyond the scope of OTT SD-WAN but even cloud connectivity poses problems, requiring the installation of an SD-WAN appliance in or near the cloud datacenter or cloud application. All too often, though, there isn’t a simple location to install such a device. Connecting the cloud into an OTT SD-WAN not only increases costs (an additional appliance) but design complexity. Enterprises must find or lease the premise to place the SD-WAN appliance near the cloud application instance, and do that for every critical application. Is Cato an OTT SD-WAN? Cato Networks affords the last-mile flexibility of OTT solutions and the performance of managed underlay infrastructure. Last-mile flexibility Cato SD-WAN devices, Cato Sockets, sit in each location, automatically establishing encrypted tunnels across available Internet connection to the nearest Cato Point of Presence (PoP). Companies are free to use any available last-mile service. Cato Sockets include the technology to overcome last-mile problems that might arise running across third-party last-mile networks. Packet Loss Compensation techniques compensate for and eliminate last-mile packet loss. Enhanced Link Capacity and Resiliency allows enterprises to run multiple last-mile lines in parallel (active/active mode), increasing capacity and last-mile availability. Should a line fail (blackout) or slow down (brownout), Cato can automatically route traffic to the alternate line, avoiding the problem. Managed backbone performance At the same time, Cato uses its own global, SLA-backed affordable backbone to address the limitations of the Internet core. Cato PoPs are connected by a global, privately managed  backbone built across affordable, SLA-backed IP capacity across multiple carriers. Cato PoPs select the optimum path for every packet, routing traffic across the Cato Cloud Network to the PoP nearest to the final destination. By keeping the traffic on the Cato backbone, packet loss is minimized and latency can be guaranteed between global locations. During its testing, Paysafe found latency between Cambridge and Montreal to be 45% less with Cato Cloud than with the public Internet. Cato performance was so good it was nearly identical to that of MPLS — at a fraction of the cost.   And low latency and packet loss aren’t the only benefits of running across the Cato Cloud Network. Built-in optimization techniques dramatically improve data throughput beyond.  Stratoscale, for example, saw throughput jump by 8x when file transfers moved from the Internet to the Cato Cloud Network. Flexibility to connect cloud resources and mobile users — easily With a global backbone of PoPs, connecting cloud resources and mobile users also becomes far easier. Traffic to Salesforce.com, Office 365, or cloud data centers, such as Amazon AWS and Microsoft Azure, will exit at the PoP closest to these services, in many cases within the same datacenter hosting both the PoP and the cloud service instance. This is a dramatic improvement over the unpredictable public Internet utilized by OTT SD-WANs. Similarly, Mobile users run mobile client on their device and automatically connect to closest Cato PoP. Overall, we believe the Cato approach provides the best of both worlds. Fold in our converged security stack and ability to support cloud resources and mobile users, and we believe the advantages of Cato’s SD-WAN are clear. But don’t take our word for it, read what real customers have to say.

Cato MDR and Zero-Day Threat Prevention: Meet Our Two Newest Security Offerings

Today we announced two significant additions to Cato Security Services. Cato Managed Threat Detection and Response (MDR) offloads the resource-intensive and skill-dependent process of detecting... Read ›
Cato MDR and Zero-Day Threat Prevention: Meet Our Two Newest Security Offerings Today we announced two significant additions to Cato Security Services. Cato Managed Threat Detection and Response (MDR) offloads the resource-intensive and skill-dependent process of detecting compromised endpoints onto Cato. A new partnership with SentinelOne, the leading provider of autonomous endpoint protection solutions, brings zero-day threat prevention to Cato’s cloud-based network protection. Together with the rest of our security services, Cato brings a comprehensive suite of security services for protecting the enterprise from Internet-borne threats. “Cato MDR has already discovered several pieces of malware missed by our antivirus system and we removed them more quickly because of Cato,” says Andrew Thomson, director of IT systems and services at BioIVT, a provider of biological products to life sciences and pharmaceutical companies. BioIVT relies on Cato to connect and secure its global network. Cato MDR Squashes Malware Dwell Time Cato MDR is a fully managed service that offloads the detection of compromised endpoints onto Cato’s security operation center (SOC) team. Cato MDR includes: Automated threat hunting — machine learning algorithms look for anomalies across billions of flows in Cato’s data warehouse and correlate them with threat intelligence sources and complex heuristics. This process produces a small number of suspicious events for further analysis. Expert threat verification — Cato security researchers review flagged endpoints and assess the validity and severity of the risk, only alerting on actual threats. Cato relieves customers from handling the flood of false-positives that suck precious IT resources. Threat containment — Verified live threats can be contained automatically by blocking C&C domains and IP addresses, or disconnecting compromised machines or users from the network. Guided remediation — The Cato SOC advises on the risk’s threat level, recommended remediation, and follows up until the threat is eliminated. Aside from the ongoing alerts of discovered threats, Cato MDR customers also receive a monthly report on the month’s activity. To see one such report (identifying information has been removed), click here. [caption id="attachment_6107" align="aligncenter" width="770"] In addition to instant alerts, Cato MDR includes a monthly audit report of all incidents.[/caption] Zero-Day Threat Prevention with SentinelOne Cato is also announcing next-gen threat prevention capabilities from SentinelOne. The company’s industry-leading, AI-based, endpoint protection solution identifies threats without signatures, making SentinelOne particularly effective at stopping zero-day malware. Cato uniquely implemented the SentinelOne threat prevention engine as a network-level defense. SentinelOne will run in Cato’s PoPs globally, analyzing files in transit from the Internet or other Cato-connected resources, such as sites and mobile users. As such, Cato prevents zero-day malware from ever reaching targeted endpoints or moving laterally across the WAN. “Cato’s network-based implementation of SentinelOne’s Nexus SDK will accelerate the deployment of next-gen threat prevention capabilities across customer networks of all sizes,” says Tomer Weingarten, CEO and Co-Founder, SentinelOne. “In today’s hyper-connected world, security is a core and inseparable tenant of networking. Partnering with Cato provides a robust, network-based, threat prevention solution that’s seamless, smart, and easy to deliver across the globe.” Comprehensive Security Built Into the Network — Everywhere If comprehensive protection against network-based attacks ever seemed too complicated to assess, too difficult to implement, or too expensive to deploy — Cato Security Services are for you. Once sites, mobile users, or cloud resources across the globe connect to Cato they’re protected from Internet-borne threats. “We thought updating our security architecture was going to require running around to different vendors, piecing together a solution, and going through all of the deployment and management pains. So, when we found out that Cato not only delivered a global network but also built-in security services and now MDR, we were extremely excited. It was a huge help,” says Thomson. To learn more about Cato security services click here.

4 Ways Cato is Perfect for UCaaS

Cato announced today that it’s been certified as a connectivity partner of RingCentral, a leading provider of enterprise cloud communications, collaboration and contact center solutions.... Read ›
4 Ways Cato is Perfect for UCaaS Cato announced today that it’s been certified as a connectivity partner of RingCentral, a leading provider of enterprise cloud communications, collaboration and contact center solutions. During certification testing, RingCentral found Cato could deliver high-quality voice even across lines with 15 percent packet loss. You can hear for yourself what that sounds like on this brief webinar. The certification is just the latest example of why Cato is the perfect network for unified communications as a service (UCaaS) deployments.  What is it about Cato that makes it so well suited for UCaaS? Glad you asked. Let us count the ways…. Minimize Latency Undermining UCaaS It’s no secret that latency is the enemy of call quality. It’s also no secret that traditional networks add latency to UCaaS sessions, backhauling all cloud (including UCaaS) traffic to a centralized, secured Internet gateway. And once on the Internet, latency remains unpredictable as UCaaS traffic is subject to the public Internet. Cato minimizes latency by eliminating backhaul and avoiding the unpredictable public Internet. Backhaul is eliminated by sending UCaaS traffic directly across the Cato network to the Cato PoP closest to the UCaaS destination. And as Cato and RingCentral share the same physical datacenters, public Internet latency is minimized. Overcome Congestion and Last-Mile Packet Loss Degrading Voice Quality Congestion, particularly in the last-mile, becomes a significant problem for delivering UCaaS over SD-WAN.  Broadband connections are often used by SD-WAN to reduce last mile costs. But broadband connections are also oversubscribed, leading to dropped packets particularly during peak times. Cato overcomes congestion and last-mile packet loss. Sophisticated upstream and downstream Quality of Service (QoS) ensure UCaaS traffic receives the necessary bandwidth to and from a branch office. Policy-based Routing (PBR) along with real-time, optimum path selection across Cato Network minimizes packet loss. Avoid Internet Brownouts and Blackouts That Break UCaaS Sessions Part of the challenge with bringing UCaaS over SD-WAN is the low uptime of broadband Internet connections.  MPLS services are SLA-backed with five nines uptime. Dedicated Internet access (DIA) as well come with SLAs and significant uptime levels,but not so for broadband connections. Cable, DSL and other broadband connections are best-effort, delivered without SLAs Cato overcomes last-mile availability problems by sending traffic across multiple last-mile links (active/active mode; other options, such as active/passive and active/active/passive are also available).  In the event of a brownout or blackout, UCaaS sessions automatically failover to the secondary connection fast enough to preserve a call. Brownouts are also mitigated by various Packet Loss Mitigation techniques. Secure Users Against Network-based Attacks UCaaS quickly becomes a critical application for many organizations, which makes securing UCaaS against disruption particularly important. SD-WAN, though, relies on local Internet breakout, expanding a company’s attack surface. Without the necessary security capabilities into the SD-WAN, UCaaS and the rest of the enterprise traffic is at greater risk. Cato addresses this problem by converging security services into the network. Next-generation firewall (NGFW), intrusion prevention service (IPS), advanced threat protection, and network forensics are converged into Cato Cloud, protecting UCaaS and all traffic from Internet-borne threats. All security services are available everywhere without deploying additional software or hardware. Experience It Yourself Those are the main ways we can help support your UCaaS deployment. To learn more about the Cato Networks and RingCentral partnership and experience first-hand Cato Network’s ability to deliver high-quality voice with even 15 percent packet loss, watch this brief webinar and demonstration.

The Pains and Problems of NFV

All too many vendors like to trumpet the promise of network functions virtualization (NFV). But deploying an NFV architecture is fraught with so many problems... Read ›
The Pains and Problems of NFV All too many vendors like to trumpet the promise of network functions virtualization (NFV). But deploying an NFV architecture is fraught with so many problems and challenges that all too many telcos have abandoned the approach. Why and what are the problems? Read on to find out. NFV Success Overstated Limited operator deployments “Another miss in 2018 is massive SDN/NFV deployment.  Yes, we have some of both today, and yes, there will be more of both in 2018, but not the massive shift in infrastructure that proponents had hoped for.  Operators will not get enough from either SDN or NFV to boost profit-per-bit significantly. Other market forces could help both SDN and NFV in 2019 and 2020, though.  We’ll get to that at the end of next year, of course. The fact is that neither SDN nor NFV were likely to bring about massive transformational changes; the limited scope ensures that.  Operators are already looking elsewhere, as I noted earlier in this blog. The success of either SDN or NFV depends on growth in the carrier cloud, and 2018 is too early to expect much in that area.”    The Driving Technologies for Network Operators in 2018,” CIMI, Corp, Tom Nolle, January, 2, 2018 CSPs Face Limited Choices To really make this work though, the software elements need to be fully interoperable, in order to enable vendor independence and competitive pricing. The resulting network is rapidly scalable, flexible, and benefits from dynamic resource allocation.  This is what NFV should be enabling – the access to a full range of interchangeable best-of-breed, trusted Virtual Network Functions (VNFs) that can be easily and cost-effectively deployed. What is actually happening is that a lack of information and insight means that CSPs are becoming locked into full stack virtualized solutions from a limited set of vendors. Instead of having their choice of hardware constrained by lack of interoperability, they are now finding constraints in the virtual world as their choice of software is being stifled through lack of accessible, certified information.” Cost/Benefit Rationale Unclear Are the economies of scale an illusion? “Most often, it’s an unrealistic assumption that applications in software on standard platforms will meet the throughput and latency demands without allocating considerable CPU resources. Operators are realizing that the cost savings of NFV are offset by the need to deploy entire racks of compute resources for a problem that a single appliance could previously solve. The CPU and server costs, rack space, and power required to meet the same performance footprint of a dedicated solution end up being as expensive as or more than custom-designed alternatives. The vision of operational simplicity and dramatically lower total cost of ownership are still a dream on the horizon.” https://www.datacenterjournal.com/making-dream-network-functions-virtualization-reality/ Where is the business benefit? “NFV is a huge undertaking for Network Service Providers (NSPs), involving many moving parts that are partly outside their control. The ramification of which is both the NSP and enterprise will realize only minimal cost and operational benefits. Despite the hype, NFV may not be worth deploying” https://www.catonetworks.com/blog/why-nfv-is-long-on-hype-short-on-value/ NFV Filled With Technical Problems NFV is too complex “….while NFV provides an opportunity to reduce opex and improve customer experience, it introduces additional layers of operational complexity that "put more onus on the operator to integrate technologies that were traditionally integrated by a vendor." This chimes with the results of a survey that Amdocs recently undertook that asked CSPs about the most significant barriers to implementing open source NFV (as opposed to sourcing a turnkey solution from one supplier). Maturity/stability (35%) was the chief concern, which is no surprise given that many of the open source NFV projects are quite new.” “The Challenges of Operationalizing NFV,” LightReading, James Crawshaw, November 29, 2017 VNF and NFV not living up to the promise “The initial thinking was that the virtualization of physical appliances and network functions virtualization (NFV) would make carriers more agile. They could run a fully managed orchestration platform, spinning up virtual network functions (VNFs) in a generic customer premise equipment (CPE) device. Carriers would gain the efficient use of software licenses, centralized management, and upfront saving they’ve long sought and enterprises achieve the branch office operational cost reductions they’ve long wanted. But operationally, VNFs are still multi-sourced virtual appliances. Each has to go through a complete lifecycle of sizing, deployment, configuration, and upgrades. Each must have its own redundancy scheme built per customer. Each must be run through its own management interface and policy engine. Can you imagine Amazon offering AWS where virtual machines are deployed per host, run a vendor-specific operating system, and managed by vendor-specific tools? What a headache. If that was the case, AWS would be far less compelling.” https://www.catonetworks.com/blog/the-carrier-cloud-needs-a-new-fabric-not-a-patched-cloth/ Limited Connectivity Capabilities “Most off-the-shelf vCPE/uCPE hardware features Ethernet ports to connect to the WAN, but little more. This is a serious impediment because most service providers operate multiple access media in their footprint, and want to deploy vCPE services across as many of these media as possible – including mobile/wireless technologies to cover more remote enterprise locations. Ideally, customer premises hardware should be able to serve all locations, regardless of available access media, without requiring additional box appliances to be deployed. Smart SFPs available in the market can be used for this purpose. “Significant problems remain: Stitching the service chains together from different VNFs is proving to be harder than expected, and requires lengthy and costly interoperability testing. This can usually be alleviated by the vCPE solutions vendor pre-testing and integrating the VNFs from different vendors, and ensuring open APIs exist for all tested VNFs.” https://www.cbronline.com/opinion/vcpe-challenging VNF bloat crippling uCPEs "....service providers are seeing their $1,500 or $2,000 uCPEs barely matching $500 to 800 NGFWs in key aspects of networking performance. In addition, service providers are sore about having to manage 60 to 80 GB of SD-WAN and other VNF images and about sacrificing two to four CPU cores just for SD-WAN/NFVI management overhead. They worry that eight x86 cores on an edge box is insufficient, yet don’t want to go to 16 cores because of the high price...." There’s nothing universal about the universal CPE,” SDXCentral, Roy Chua, December 06, 2018 VNFs: difficult to work with "...From a VNF perspective, things are not as automatable as we would have hoped," said Mitchell, the director of NFV, cloud, innovation labs and support networks at Telus. "These VNFs are more of what was called a 'lift and shift' type of deployment. So you took a traditional piece of software that was running on vendor-provided hardware, and it came in a contained almost black-box type of solution, and that got lifted into a virtual machine and then dumped onto a pod and boom! We've got NFV and we got all the benefits and life is good and we're done. "Well, that's not exactly true because these VNFs are very difficult to work with. They tend to be tightly coupled within themselves, and they tend to not have the openness and APIs that we would need in order to manage and configure them.” Telus' Mitchell: Industry needs to change cultural mindsets and embrace cloud-native,” FierceTelecom, Mike Robuck, September 28, 2018 Eliminating complexity—or increasing it? “Problems within service chains have come to epitomize the problems with NFV. When it comes to deployments, there are significant restrictions on the number and variety of functions in a service chain. This leads to either remaining with legacy, physical network functions vendors or increasing the number of silos, which is a shame as the NFV vision was meant to break down these two barriers. Frustratingly, this can lead to increased costs as the operator transforms fixed physical infrastructure into a software-based, dynamically switched model. It turns out this is easier said than done.” https://www.sdxcentral.com/articles/contributed/problems-with-service-chaining-stalling-nfv/2018/08/ NFV Not Achieving Key Goals Headed in the wrong direction? “Gumirov's honest assessment is that Deutsche Telekom AG (NYSE: DT) is somewhere between the old physical network function and the cloud-native VNF, at an overall stage he optimistically terms the "cloud-ready VNF." While some functions have been relatively easy to "cloudify," such as the voice platform and telephony application server (TAS), others have not. In fact, when it comes to some of the mission- and performance-critical functions, the industry appears to be heading in the wrong direction entirely, according to Gumirov. "The trend is a bit scary," he said.” https://www.lightreading.com/nfv/vnfs-(virtual-network-functions)/vnfs-the-good-the-bad-and-the-ugly/d/d-id/746800 vCPE and uCPE are the wrong approaches “One of the service agility benefits quickly proposed within the ISG was the creation of multi-part services by the chaining of VNFs, and this gave rise to the “service chaining” interest of the ISG. A virtual device representing a service demarcation might thus have a VPN VNF, a firewall VNF, and so forth. Recently, SD-WAN features have been proposed via an SD-WAN VNF in the chain. All of this got framed in the context of “virtual CPE” or vCPE. “As a practical matter, though, you can’t fully virtualize a service demarcation; something has to provide the carrier-to-user connection, harmonize practical local network interfaces (like Ethernet) with a carrier service interface, and provide a point of management handoff where SLA enforcement can be monitored by both sides. Could you deploy a service chain of functions (VNFs) into a uCPE box, as though it was an extension of carrier cloud and using the set of features and capabilities the ISG has devised (and is still working on)? Perhaps, but the better question would be “Should you?” There are in my view some compelling reasons not to do that…” Why vCPE and uCPE are the wrong approach,” CIMI Corp, Tom Nolle, November 28, 2018 Performance and scaling “The performance and scaling problems that operators face with generic NFV infrastructure (NFVi) will only be worsened by 5G networks. The move to 5G brings new requirements to mobile networks, creating its own version of hyperscale networking that is needed to meet the performance goals for the technology, but at the right economy scale. Numerous factors are fundamentally unique to 5G networks when compared to previous 3G/4G instantiations of mobile protocols. The shorter the distance, the higher the frequency – thus, the more bandwidth that can be driven over the wireless network.” https://www.transformingnetworkinfrastructure.com/topics/virtualization/articles/440078-addressing-challenges-network-functions-virtualization.htm Bottom Line It's apparent that two things are true: NVF and its elements have a tremendous amount of potential and that a lot of work remains to be done. Are you aware of any other issues or have particular insight into any of those mentioned above? Let us know at press@catonetworks.com

What Enterprises Can Learn From The $55 Million Investment in Cato Networks

We just announced the results from a fantastic 2018. A year where bookings grew by 352% year-over-year, business from the channel increased fivefold, and customer... Read ›
What Enterprises Can Learn From The $55 Million Investment in Cato Networks We just announced the results from a fantastic 2018. A year where bookings grew by 352% year-over-year, business from the channel increased fivefold, and customer growth exploded to 300 enterprises serving thousands of branch locations worldwide. It’s an incredible achievement by any standards, perhaps only surpassed by one other piece of news — a $55 million investment from Lightspeed Venture Partners and with the participation of all current investors — Aspect Ventures, Greylock Partners, Singtel Innov8, and USVP all top-flight firms. (Co-founders CEO Shlomo Kramer and CTO Gur Shatz also invested.) SD-WAN is a small part of WAN transformation For those who don’t follow every tick and tock of the VC world, raising such a significant sum at this time of the market is remarkable. VCs tend to be conservative bunch when it comes to their wallets. They like to invest in companies that are going to win. Kind of like IT managers, actually, who look to deploy products that will last. And yet today,  some 50 companies claim to have SD-WAN capabilities. The last thing a VC wants to do is invest in a company with a “me too” product. All of which begs the question: how was Cato, a leading SD-WAN provider, able to raise such a significant investment? That’s because the investment isn’t about SD-WAN. Yes, SD-WAN is an integral part of WAN transformation. Being able to select the right underlay for any location gives IT the agility long missing from MPLS services. But the networking challenges facing IT go far beyond site-to-site connectivity. If you’re like many of the IT pros, you probably need a networking platform that will last you today — and tomorrow. You probably need to provide mobile users with secure, reliable access from anywhere. You likely need to connect your sites and mobile users with cloud datacenters and cloud applications. You need to protect all of those entities against Internet-borne threats. And you’d like to connect them in any way that’s flexible enough to encompass that new IOT widget or that next new trend. Managed services: the platform for global enterprise connectivity The only way to do that all of that everywhere and at a scale is with a global managed service. Appliances simply can’t cut it, at least not without massive investment and exponential increase in complexity.  Managed network services provide the operational cost model, global reach, technology mix, and technical personnel to address the gamut of challenges facing WAN transformation. It's not just me saying this. You can see it in the partnerships SD-WAN appliance vendors have made with service providers. You can see it in research coming out from leading analysts. In the “2018 Magic Quadrant for WAN Edge Infrastructure," (registration required) for example, Gartner recommended that companies “Evaluate WAN as a service for your next refresh, even if you have traditionally pursued a DIY approach.”   And in the "2018 Strategic Roadmap of Networking,"  Gartner Analysts Andrew Lerner and Neil Rickard said that "Based on a recent Gartner survey of enterprises, by  year-end 2018 (YE18), 66% of enterprises globally plan to employ managed network services for their WANs, which will represent a 20% rise since 2016." The right kind of managed service is critical The question then is less about if enterprises will adopt managed network services and more about what kind of managed network services should they adopt. The telcos have offered one well-known approach based on appliance integration.  We believe that's a recipe for the same old, same old. The telco experience has translated into a stable service of unexceptional (or worse) customer service. It’s meant opening tickets to resolve even the smallest of problems, waiting for ages to deploy new sites, and being charged a premium in the process. Cato offers a very different kind of approach. The Cato model takes the best of telco world and combines that the best of cloud services. It’s an experience that delivers a network with the uptime, predictability, reach, and “white glove” service enterprises expect from the best of the telcos. At the same time, it’s an experience that delivers the agility, cost structures, and versatility enterprises need in this cloud and mobile era. “Cato is a transformative force in the stagnant managed network services market,” says Yoni Cheifetz, Partner at Lightspeed. “Businesses are looking for an affordable, agile, and scalable network to drive strategic initiatives like global expansion, hybrid cloud, and workforce mobility. Today’s rigid networks aren't built to support this growth, and this is the multi-billion dollar market opportunity Cato is going after.” We couldn’t have said it better. Here’s to an even better 2019.

What You Should Know Before Choosing a Managed SD-WAN Service

The growth and adoption of SD-WAN have continued strong through 2018 and we anticipate will continue into the next year. Gartner predicts the SD-WAN market... Read ›
What You Should Know Before Choosing a Managed SD-WAN Service The growth and adoption of SD-WAN have continued strong through 2018 and we anticipate will continue into the next year. Gartner predicts the SD-WAN market to reach $1.3 billion by 2020. Early adopters were generally motivated by the cost savings and improved performance, but many today are driven to adopt it because of the agility of SD-WAN. However, SD-WAN can be deployed in several different distinct ways that enterprises can choose from. SD-WAN as a Service (SDWaas) Defined SDWaaS providers not only provide the hardware needed at each site, but will also include a virtual overlay network backbone, and additional features like security and centralized management. SDWaaS simplifies the network by eliminating appliance sprawl with seamless cloud-scale software. When packaged as a service, the customer doesn’t need to manage everything themselves and can leverage value-added services like SLAs. Organizations that have deployed SD-WAN find the cost savings to be one of the most immediate benefits. WAN costs can be reduced by up to 90% because the dedicated private WAN connections, typically MPLS, are replaced with lower cost broadband connections. These cost savings and other benefits of SD-WAN in general – such as increased agility – also apply to SDWaaS. Some may consider carrier-managed SD-WAN to be the same thing as SD-WAN as a service, but it’s important to note the differences. Cloud-hosted SD-WAN may also be confused with SDWaaS and organizations looking to choose an SD-WAN solution will want to understand how they differ. How SDWaaS Differs from Alternative SD-WAN Solutions Some SD-WAN vendors offer a service that uses service chaining that redirects traffic to security appliances or cloud security services for inspection. Physical security appliances will still need to be scaled, patched, and upgraded. The cloud security services only inspect Internet-bound traffic and focus only on HTTP/HTTPS traffic. Rather than an innovative solution, it’s merely bolting on security with limited benefits. Carrier-managed SD-WAN may be offering their solution as a service, but in essence, they are just packaging a third-party SD-WAN vendor solution and third-party security appliances with the carrier network. So the service provider is still burdened with management and maintenance of all those devices. Getting service anywhere and everywhere becomes complicated as the customer is limited to what and where the carrier is willing to provide service. Cloud-managed or cloud-hosted SD-WAN services host their management and control application in the cloud. The solution still requires SD-WAN nodes for path selection, and the service is run completely through Internet transports. This is a notable difference from SDWaaS that is built on privately-run backbones with SLAs for performance that compares to MPLS. Considerations for Moving to SDWaaS Many enterprises today are leveraging mobile and cloud-centric solutions. Because MPLS doesn’t extend to the cloud, nor address mobile users, organizations can address this need with SDWaaS that uses (1) software clients for mobile devices and (2) PoPs that are oftentimes co-located within the cloud providers datacenter. IT leaders are painfully aware of the high cost of MPLS that takes a large portion of the IT budget. Moving to SDWaaS can significantly reduce WAN bandwidth costs for organizations looking to optimize their spending. Those same, high-cost MPLS connections are also difficult to provision and scale, with provisioning lead times of 4 months or more. Businesses looking for improved agility to scale bandwidth and bring new sites online can benefit from SDWaaS. New sites can be brought online instantly with 4G and switched over to Internet services as needed. Because SDWaaS has converged security and networking, security teams can meet the agility objectives too. In addition, some advanced networking and security advancements, such as Identity Awareness, are available. Stuart Gall, Infrastructure Architect at Paysafe, made the move to SDWaaS for several reasons, but he appreciates having the agility to move bandwidth within the same billing domain. "If I close a location, I don’t lose the outstanding funds for that term. I just allocate the paid bandwidth to a different location. With MPLS, I’m locked into a three-year contract at each location, even if I just have to move one down the road.” Making the Right Choice IT teams are key player helping organizations decide the optimal way for SD-WAN to be implemented in terms of SD-WAN vendors, carrier-managed, cloud-hosted, and SDWaaS. Indeed, SDWaaS takes the next step in converging networking and security for today’s enterprise network requirements.

SD-WAN Success Requires A New Kind Of Managed Service Provider

The adoption of SD-WANs continues to skyrocket.  ZK Research forecasts the market for SD-WAN infrastructure and services will grow at almost 70% CAGR between now... Read ›
SD-WAN Success Requires A New Kind Of Managed Service Provider The adoption of SD-WANs continues to skyrocket.  ZK Research forecasts the market for SD-WAN infrastructure and services will grow at almost 70% CAGR between now and 2022.  Why such strong adoption?  For most businesses, the WAN is long overdue for an upgrade as the current architecture has been in place for well over three decades.  If done right, SD-WANs can be one of the rare IT initiatives that can lower costs, improve worker productivity and simplify IT operations.   It’s important to note the caveat I made with “if done right” as deployment success depends on ensuring the right architecture, and this can vary widely from company to company.  As is the case with most technologies, one size definitely does not fit all with SD-WANs. One of the biggest debates in SD-WANs is the use of Internet-based broadband versus a private network.  For small businesses that have regional networks, broadband is likely sufficient. Traffic volumes are typically light and the distance that network packets have to travel is short so the quality of experience for applications, even real-time ones like voice and video, will likely remain high. It’s a different story though for large, distributed organizations, particularly global ones.  The low price of consumer broadband makes it attractive but there are some risks of using the public Internet as the backbone of a global organization. The first and most obvious risk is quality, particularly for real-time and bandwidth-intensive applications.  Users may not notice if the experience of best effort applications, such as e-mail, is impacted but certainly will if voice calls or dropped or if video sessions are choppy as the conversations become unintelligible. The SD-WAN industry is still in its infancy and there are few best practices regarding the use of broadband for a business network.  Below are the top concerns that network professionals should be aware of when looking at the broadband versus private network decision. Variable circuit sizes. Broadband speeds can vary widely from under 1 MB to multi-gigabit.  There is also variability in the type of broadband where fiber speeds greatly exceed any kind of copper connectivity.  Wireless services appear attractive but often have high latency and are metered services.  Also, with most broadband services, the network upload and download speeds are different. Inconsistent bandwidth speeds.  Some broadband types, like cable and cellular services, are shared networks.  This means if a business happens to be one of only a few entities connected in that area, the speed will likely be great, often exceeding the subscribed rate. However, if the area is oversubscribed, the speed can be significantly lower that what is expected. Adding to the complexity is that time of day can play a role as well as in highly dense areas, consumer usage can impact business users during peak periods. Network specific issues.  Various broadband types have different characteristics, which can cause application issues.  For example, 4G services can suffer high packet loss, where Ethernet can often drop packets.  It’s important that the right types of network optimization be applied Security concerns.  The use of public cloud services brings with it a number of new threats. The old model of placing a big firewall at a single ingress/egress point no longer works as every branch and mobile worker creates backdoors.  The network needs to become a sensor for unusual activity that could indicate a threat. Legacy, private networks, such as MPLS, have the luxury of being very consistent from location to location and are considered to be secure.  Also, the ability to use class of service (CoS) for proper application categorization ensures optimal application performance.  However, MPLS can be very expensive and inflexible, which is why many businesses are investigating SD-WAN. SD-WANs, on the other hand, bring a number of new challenges that need to be overcome.  Historically, businesses may have been able to turn to a managed service provider (MSP) to help offset much of the complexity of deployment.  MSPs may be able to help with factors like network configuration and broadband selection but won’t be able to address issues such as Internet latency that can lead to poor performance. What’s needed today is a new kind of managed service provider known as a converged MSP.  These service providers can deliver all of the value of a traditional MSP but build their own technology stack and global backbone. Think of a converged MSP as a hybrid of a traditional service provider and a managed service provider giving customers the “best of both worlds” as they are a single vendor that has the integration expertise of an MSP but then has the control an inherent security of a service provider that owns its own network.  This will also lead to better costs, faster evolution, and innovation. SD-WANs are fundamentally different than legacy WANs. Doesn’t it stand to reason that SD-WAN vendors need to look a lot different than service providers did a decade ago?

Still on the Fence about SD-WAN? Gartner Says to Include It in WAN Architecture Discussions

SD-WAN solutions have become mainstream in the enterprise, but some organizations are still looking at the technology from afar and wondering if it could be... Read ›
Still on the Fence about SD-WAN? Gartner Says to Include It in WAN Architecture Discussions SD-WAN solutions have become mainstream in the enterprise, but some organizations are still looking at the technology from afar and wondering if it could be right for them. If your organization is among those fence-sitters, there’s a new guide from Gartner (“Technology Insight for SD-WAN,” 14 September 2018 ID: G00369080) that could be helpful in your decision-making process. Most notable about the report is the Gartner analysts’ recommendation that “SD-WAN should be included in future WAN architecture discussions.” The analysts have concluded that the reasons to implement SD-WAN technology far outweigh the risks, identified in this report as market confusion, market fragmentation, feature limitations, and vendor lock-in. What’s important to note is that the risks do not include any concerns about the technology itself. In fact, SD-WAN technology has been around for several years and has reached a stage of maturity and stability that can support the formidable requirements of most enterprises. According to Gartner, “North American-based retail and financial service organizations have been the most aggressively early adopters of the technology.” As to why companies should consider SD-WAN for their WAN architecture, the Gartner analysts note that “the benefits of an SD-WAN approach are substantial compared to traditional approaches, including simplified management and operation, reduced costs, and increased visibility and security.” Gartner considers a traditional WAN approach as combining “fully featured, on-premises physical or virtual devices, including routers… Although it is complex to deploy and manage, this complexity can be somewhat mitigated by using reference design templates and/or managed services from MNS providers or system integrators. Though this solution is proven and mature, it is less agile and flexible than an SD-WAN approach.” The report cites specific benefits, including:         Agility via Improved Management         Cost Reduction         Improved Branch Availability According to Gartner estimates, as of June 2018 “there are over 6,000 paying SD-WAN customers, with more than 80% of those in production, including more than 200,000 total branches." The analyst firm forecasts that “spending on SD-WAN technology will grow at a 30.2% compound annual growth rate (CAGR) through 2022.” But just as spending on SD-WAN is on the rise, spending on traditional WAN technologies is on the wane; by 2020, global spend on SD-WAN is expected to overtake the global spend on traditional router equipment. Do Your Research It’s clear to see that a lot of companies are now on the SD-WAN bandwagon. How should you make your own assessment as to whether this technology is right for your organization? The report outlines several evaluation factors to consider in light of your own organization’s needs. The Gartner analysts caution, “At a casual glance, it can be very difficult to differentiate between SD-WAN solutions, as they all provide branch connectivity in a simplified and cost-effective manner. In addition, this is a fast-moving market that will continue to undergo substantial change within the next 12 months. When evaluating and selecting solutions, organizations should ask prospective SD-WAN vendors specific questions to determine which solution best meets their branch connectivity requirements.” Gartner suggests talking about several high-level assessment criteria with your prospect SD-WAN vendors/providers. These criteria include:         Scale and Architecture         Management and Orchestration         Visibility and Security Of course, these questions are just a starting point for your vendor conversations. You’ll want to tailor your questions to your own specific needs. Here is a guideline you can use for re-evaluating your MPLS service provider. 

Top Podcasts for SD-WAN and Network Professionals

Podcasts are a great resource for keeping current on IT network topics like SD-WAN and hybrid cloud, though it can be tough finding the quality... Read ›
Top Podcasts for SD-WAN and Network Professionals Podcasts are a great resource for keeping current on IT network topics like SD-WAN and hybrid cloud, though it can be tough finding the quality podcasts that are at the end of the day – really worth your time. Here are our favorite six podcasts that in our estimation, are definitely worth tuning in to… Packet Pushers Greg Ferro and Drew Conry-Murray host the weekly Network Break, while Ethan Banks and Chris Wahl host Datanauts. The Network Break features the latest IT news that affects Network Professionals with episodes lasting less than an hour. Latest topics include Cisco and Arista releasing 400G switches, IBM’s purchase of Red Hat, and ‘a virtual network tap in Azure and SD-WAN integrations’. Datanauts, on the other hand, is not a weekly show but new episodes are released when there’s a new and interesting topic to explore in cloud, convergence, data centers and anything infrastructure. The Datanauts team discuss recent topics on advancing your IT career and building out a Private Cloud with guest Rita Younger from CDW. CCSI Podcast CCSI, a leading technology services and solutions provider, has been hosting a podcast since early 2017 with each episode under 30 minutes. Hosted by Larry Bianculli, managing director of enterprise and commercial sales, topics range from cloud computing, cybersecurity, to SD-WAN. Joe Goldberg, the Senior Cloud Program manager at CCSI, was a guest on an SD-WAN podcast and discusses why customers are “demanding more flexible, open and cloud based WAN,” why simplifying the WAN is advantageous today, and how SD-WAN is achieving success with simplicity. IPspace.net Software Gone Wild is a podcast by IPspace.net with new episodes about once a month. A vendor-independent podcast, it focuses on Software Defined Networking (SDN) solutions, Network Function Virtualization (NFV), Software-Defined Data Centers (SDDC), cloud computing and network programmability. The hosts take a unique perspective of these technologies by uncovering hidden gems – field-tested solutions that have been in production but have been relatively overlooked. Software Gone Wild is hosted by Ivan Pepelnjak, a well-known blogger and writer, who has also authored several Cisco Press books. TechSnap A weekly podcast, hosted by Chris Fisher and Wes Payne, touches on networking, IT systems, and administration with a focus on discussing major security flaws in large systems. Each episode carves out time for audience questions and discussion of best practices from everything from eBPF to cloud building blocks. Episode lengths vary but are generally less than an hour. TechSnap is part of the Jupiter Broadcasting podcast network, which was founded by Chris Fisher and Bryan Lunduke in 2008. Cisco Cloud Unfiltered The interview-style format of this podcast covers topics on various cloud architectures, deployment strategies and complementary technologies for the cloud. Hosted by Ali Amagasu and Pete Johnson, each episode lasts about 30-40 minutes and has an interview with an expert on the topic at hand. Episode 58 features guests Ed Warnicke of Cisco and Frederick Kautz of Red Hat and explains the excitement surrounding the Network Service Mesh project. The Network Collective The Network Collective is a community driven podcast that is organized and produced by Jordan Martin, Eyvonne Sharp, and Russ White. There are four different podcast formats: ‘Short Take’ episodes are generally only 5-15 minutes long, ‘History of Networking’ episodes are about an hour long, ‘Off the Cuff’ episodes are less frequently released, and ‘Community Roundtables’ are generally less than an hour and feature several guests discussing a wide range of networking topics. In episode 29 of the Community Roundtable series, hosts Jordan Martin and Eyvonne Sharp discuss some of the operational considerations when using MPLS VPNs. Longtime networking instructor Travis Bonfigli tweeted about this episode, “Pure DMVPN gold! @NetCollectivePC [continues] to blow me away with top shelf content! Keep crushing it!” ****************** Each of these podcasts most certainly has their own style of format and unique take on networking topics, but what they all have in common is quality content for people in the IT Networking field. Happy listening.

The Best IT Network and SD-WAN Events for 2019

SD-WAN continues to be one of the fastest growing industries across the globe. Revenues increased 83.3% in 2017, and predictions estimate that it will reach... Read ›
The Best IT Network and SD-WAN Events for 2019 SD-WAN continues to be one of the fastest growing industries across the globe. Revenues increased 83.3% in 2017, and predictions estimate that it will reach $4.5 billion according to the IDC. The list of SD-WAN events and conferences scheduled for 2019 is already quite impressive, and it’s already on our agenda to start marking our calendars for the upcoming year as the 2018 year begins to wind down. Here are the events that we’ve got our eye on so far. Metro Connect USA 2019 Jan 29-Jan 31 2019 | Miami, FL USA This event is for C-level executives in the U.S. communications infrastructure market. Each day includes panel discussions that include addressing industry updates, challenges, trends, and future development. One such panel will be “The Edge Ecosystem: Exploring the Different Roles in Delivering this Final Frontier”. Topics to be explored during the discussion include, how should you balance latency vs. location, and what is the impact of SD-WAN and the edge? With 600+ attendees and over 200 companies, you can expect productive strategic discussions and opportunities to generate new business for the upcoming year. SD-WAN Expo Jan 29-Feb 1 2019 | Fort Lauderdale, FL USA This expo provides the opportunity for enterprise executives, service providers, and technology vendors to connect on the growing SD-WAN market and its evolution. Industry experts will be on hand to present and discuss topics that include WAN transformation, application performance, IoT, and security. This event is focused on the SD-WAN industry but is also co-located with ITEXPO, one of the largest communications and technology conferences in the world. The closing session will conclude with what lies ahead for SD-WAN, and how digital transformation initiatives and the rroadmap for today’s enterprises will be affected. MPLS + SDN + NFWORLD Paris 2019 Apr 9-Apr 12 2019 | Paris, France Representatives from service providers and large enterprises from around the globe will gather to provide thought leadership on the 2019 agenda: AI and Machine Learning Impacts. A highlight of the event includes the Public Multi-Vendor Interoperability Test. Together with participants, a tangible, lab-validated network showcasing the latest advances will be exhibited. The 2018 edition of this event had over 1600 participants, with presentations on orchestration, automation, and service delivery. WAN Summit New York Apr 8-Apr 9 2019 | New York, NY USA This two-day summit is geared toward network managers responsible for global enterprises who want to stay current on the latest network architecture trends, and telecom service providers tailoring their services to the challenges global enterprises are facing. Packed in to the summit are Peer Exchanges, Case Studies, and Interactive Q&A sessions on topics that matter most to enterprise WAN architectures. Enterprises can meet vendors with new technologies surrounding cloud connectivity, global SD-WAN, and more. Kristan Kline of Kaiser Permanente says, “The best conference to attend to get an impartial focus on enterprise WAN.” Gartner Tech Growth & Innovation Conference June 3-June 5 2019 | San Diego, CA USA Gartner is well renowned in market-leading research. This event is three days of vendor-exclusive Gartner research and dialogue. The agenda will include the latest technology and business disruptions and how to leverage the risk and opportunities these present. There will be sessions on market opportunities and threats, competitive positioning and messaging, creating a customer-centric culture, ecosystem development and management, and more. This conference provides attendees the opportunity to engage with over 40 Gartner analysts and learn from over 70 research-driven sessions. Market opportunities and threats Competitive positioning and messaging Creating a culture of innovation and customer-centricity Ecosystem development and management Business Performance Management Talent and future of work IP EXPO EUROPE Oct 8-Oct 9 2019 | London, England With 6 IT events under one roof (IP EXPO, Cyber Security X, Developer X, AI-Analytics X, Internet of Things X and Blockchain X), you won’t want to miss this expo. Registration grants you access to all co-located events. Last year’s event had an impressive lineup of speakers including Cato’s Director of Sales Engineering,  Mark Bayne (The Future of SD-WAN), and Carla Echevarria (The Power and Perils of AI). Acclaimed public speaker Andrew Keen laid out “a five pronged strategy to realize the positive promise of the digital revolution” in his keynote speech “How to Fix the Future.” Another interesting keynote speaker was Colonel Chris Hadfield, Astronaut and co-creator and host of the acclaimed BBC series Astronauts. No doubt this year will include another engaging lineup of speakers.

How To Make A Smarter Last-Mile Management Service

Today we introduced Cato Intelligent Last-Mile Management (ILMM), a new service that offloads the burden of monitoring and managing the lines connecting your sites to... Read ›
How To Make A Smarter Last-Mile Management Service Today we introduced Cato Intelligent Last-Mile Management (ILMM), a new service that offloads the burden of monitoring and managing the lines connecting your sites to Cato PoPs from around the globe. Simplifying last-mile management is an enormous step forward in simplifying global SD-WAN deployments. Here’s why. The Last-Mile: SD-WAN’s Achilles Heel Getting the last-mile right has been challenging for global SD-WANs. With MPLS, the provider assumed the responsibility of the last mile management. When backhoes cut a wiring duct, squirrels chewed through wires, or router updates blew up the network, the MPLS provider was charged with fixing the problem. Carriers might charge a bundle for MPLS, take forever to close tickets, and be frustrating to work with but at least you knew they were responsible for keeping last-miles connected. SD-WAN has a lot going for it, of course, but the one issue that SD-WAN appliance vendors often gloss over is the management of the last mile. With SD-WAN based on Internet connectivity, it’s up to you and your team to monitor all of the last-mile links around the globe, identify problems, and engage with local ISPs. To which, you need to deploy the necessary monitoring tools (unless, of course, you’re already a Cato customer in which case our system already has you covered). You’ll also need to learn the local language, procedures, and culture for each ISP — what a pain. [caption id="attachment_5765" align="aligncenter" width="939"] Last-mile problems occur in the line to the ISP and the connection to the ISP’s peers[/caption] Monitoring Services Can’t Solve The Problem Outsourcing last mile monitoring has been a partial solution. The carrier and providers who will monitor and manage your last miles are often limited to the capabilities of the edge device, namely the router. As such, they can use ICMP to detect link outages, but that’s about it. There’s very little understanding of link characteristics when something starts to go wrong but is still operational. Seasonal changes, like the upcoming Black Friday for retailers, are not factored into their understanding of last mile performance. Visibility is also limited, missing outages in an ISP’s upstream connectivity. Cato ILMM: Putting Intelligence into LMM We thought we could do better, so we created a smarter LMM. Cato ILMM, detect blackouts AND brownouts — even if those outages and slowdowns occur beyond your site’s last-mile. To do this we continuously profile each last-mile, establishing unique dynamic baselines for critical services. Knowing what’s normal lets us detect brownouts before they become blackouts and blackouts before your users notice them. We can isolate outages down to the specific service and location to shorten resolution times. Let’s break that apart of a second: Continuous Last-Mile Profiling leverages our vast data warehouse capabilities to create a dynamic model of last-mile performance. During the onboarding process, we capture a week-long baseline of the packet loss, latency, jitter metrics for every monitored service across every managed link. This last-mile profile establishes a highly accurate baseline for defining and detecting brownouts. We continue to evolve this baseline over time to capture seasonal and other network fluctuations. Infrastructure Service Monitoring identifies outages in the underlying services required to run the most common cloud applications not just the physical last mile. Cato ILMM measures link connectivity and service-specific uptime using Ping, DNS, HTTP, and Traceroute. Additional services can be monitored as well. Pinpoint Identification eliminates finger pointing and reduces time to resolve. Cato monitors the complete customer connection from the location, through the ISP’s premises, to Cato dedicated test server and websites on the public Internet. Testing is done both within the Cato tunnel and outside of the Cato tunnel. As such, Cato can isolate problems down to Cato, the ISP, or the ISP’s peers. [caption id="attachment_5764" align="aligncenter" width="864"] Cato manages the entire last mile - from the customer premises to Cato’s PoP[/caption] Combining ILMM with what we’re already doing, monitoring the Cato Cloud network connecting our PoPs (“the middle mile”), Cato delivers end-to-end management of a company’s SD-WAN infrastructure. Last-Mile Management That Meets IT’s Agility Requirements For too long, managed network services forced IT to pay for the high costs of service management while suffering the delays and headaches of opening trouble tickets and relying on the carrier to fulfill move, add, or change (MAC) requests. Cato changes that paradigm by bringing self-service management of the cloud to network services. With self-service, customers have full control over their SD-WAN, making any MACs themselves. Both the enterprise and Cato continuously monitor the SD-WAN instance. Cato, though, is solely responsible for managing the underlying infrastructure shared among all of its customers. Cato ILMM complements this model with last-mile management. Companies continue to retain control over their MACs but now rely on Cato or its partners to monitor and manage their last-mile services. Combining the two approaches gives enterprises the best of both worlds — unparalleled agility and no headaches. To learn more about Cato ILMM check out this whitepaper.  

Sign of the Times: Time to Eliminate Your Dependence on MPLS and Switch to SD-WAN

Multinational corporations have traditionally needed global MPLS services to build their WAN. Until recently, there simply was no alternative. That has changed now that secure,... Read ›
Sign of the Times: Time to Eliminate Your Dependence on MPLS and Switch to SD-WAN Multinational corporations have traditionally needed global MPLS services to build their WAN. Until recently, there simply was no alternative. That has changed now that secure, global SD-WAN as a Service is available worldwide. By leveraging the power of distributed software, plentiful IP capacity, and off-the-shelf hardware, SD-WAN as a service provides a reliable, flexible, and inexpensive alternative to MPLS. The MPLS Story Global MPLS networks allow for different in-country providers of MPLS services to connect as one network. A single service provider acting as a “general contractor” manages the agreements between the individual MPLS providers to allow the customer to traverse between the MPLS links of one SP to another to complete the global WAN. Service level agreements are a key part of global MPLS networks. Vendors guarantee uptime levels, jitter, round-trip delay, and other performance parameters. The global MPLS approach to networking works well if: The users are in fixed locations such as branch offices, The only corporate applications are hosted in-house, and Business needs don’t change very often. Unfortunately, the realities of today are very different: Business is evolving quickly, and the underlying IT infrastructure needs the flexibility to support rapid changes in the way of work. Many users are mobile, and some may never work in a central “fixed” location. Corporate applications are increasingly in the cloud.   The fact is, global MPLS services aren’t implemented in a way that accommodates the new realities of wide area networking needs. Clearly, an alternative is needed, but it’s not the public Internet. When looking at a global deployment, the Internet is too unpredictable. SD-WAN as a Service Offers an Alternative to Global MPLS The great buzz of the networking industry today is software-defined wide area network (SD-WAN). As Andrew Lerner, Research Vice President for Gartner, wrote in June 2017: “SD-WAN remains a topic of high interest among Gartner clients. While many networking technologies are over-hyped as the next big thing, SD-WAN is delivering on the promise… We recommend you look at SD-WAN when refreshing WAN edge equipment, renegotiating a carrier contract, building out new branches, or aggressively moving apps to the cloud (among other reasons).” His recommendation is as true today as in 2017. There are different approaches to architecting an SD-WAN. Many vendors’ products would have you build and manage your own network using the unpredictable public Internet and overlay the SD-WAN on top. SD-WAN as a service (SDWaaS) takes a far different approach—one which we believe creates a better network that can truly serve as an alternative to a global MPLS network. With an SDWaaS, the Internet is only used for what it’s best at — access. The middle-mile, the part of the Internet that causes the biggest latency problems, is replaced by a global, SLA-backed affordable backbone. Cato Cloud, Cato’s SDWaaS, is a globally distributed, scalable, and redundant set of Points of Presence (PoPs). The PoPs are meshed into a global overlay with at least two SLA-backed global carriers connecting every PoP. Using the inexpensive IP capacity available from tier-1 carriers is one ingredient that allows Cato to dramatically reduce the capacity costs. Costs are also reduced by relying on distributed software running on off-the-shelf hardware in a redundant configuration; there are no expensive proprietary appliances. Cato Cloud continuously monitors the carriers’ latency and packet loss to determine the optimal path between any two locations. Should one carrier experiences an issue, Cato Cloud can make a packet-by-packet decision to move to another carrier.  Moreover, a range of optimizations built into Cato Cloud minimize the effects of latency and compensate for packet loss. The result: Cato Cloud provides better performance and availability than anyone underlying carrier. For large enterprises, global network coverage is essential. Cato Cloud spans more than 40 PoPs around the globe. in fact, the Cato Cloud network has the broadest reach of any global, cloud-based network. Cato operates a third more PoPs than its closest competitor with 16 locations in the Americas, 13 in APAC, and 12 in Europe. [caption id="attachment_5228" align="aligncenter" width="1474"] With more than 40 PoP, the Cato Cloud network has the largest reach of any global cloud-based network[/caption] The PoPs are strategically located to be within 25 milliseconds of where most business users work. The SD-WAN software analyzes the traffic entering the PoP, applies the necessary security and networking optimizations, and routes the traffic across the optimal path to the PoP closest to the destination, be it a datacenter or cloud resource, where it exits the core network and continues to its destination. An enterprise-grade network security stack, built into the backbone, extends security everywhere without the need to deploy additional security products. This negates the need to backhaul traffic to a central location just to pass it through a security stack. With the right mix of redundancy, tier-1 carriers, and SD-WAN smarts, SDWaaS can often match an MPLS network in terms of coverage, availability, and performance. Where SDWaaS is far superior is with agility and cost. In terms of agility, Cato Networks maintains the underlying shared infrastructure – the servers, storage, network infrastructure, and software – allowing enterprises to instantiate, configure and manage their SD-WANs as if they ran on their own dedicated equipment. Changes or additions can be made quickly, instead of waiting months for change requests on MPLS networks, meaning the network can adapt to business changes as they happen—not months later. Cost is a real differentiator. Results will vary by implementation, of course, but Paysafe reported a 30% reduction of costs when it connected 21 sites via Cato Cloud versus its previous six-site MPLS network.  Fisher & Company reduced costs by 65% when switching from MPLS to Cato Cloud With an affordable, SLA-backed backbone, SD-WAN as a Service can replace a global MPLS deployment. For more information on this topic, we encourage you to read MPLS, SD-WAN and the Promise of SD-WAN as a Service.

Should You Be Concerned About the Security of SD-WAN?

Traditional hub-and-spoke networking has enterprises backhauling WAN traffic from branches over MPLS circuits to a central site and applying security policies before sending the traffic... Read ›
Should You Be Concerned About the Security of SD-WAN? Traditional hub-and-spoke networking has enterprises backhauling WAN traffic from branches over MPLS circuits to a central site and applying security policies before sending the traffic to the cloud or the public Internet. This practice has become prohibitively slow, inefficient and costly as more and more branch traffic is intended to go to the cloud or the Internet. SD-WAN has emerged as a popular alternative to MPLS. But for SD-WAN to provide better-than-MPLS cloud and Internet performance traffic, backhaul must be eliminated and sent directly to the Internet. This begs the question: How can SD-WAN use direct Internet access when SD-WAN includes no protection against Internet-borne threats? Without an SD-WAN standard, enterprise customers can’t make assumptions about what an SD-WAN solution provides—especially when it comes to security. Many SD-WAN vendors take a do-it-yourself (DIY) approach such that the customer organization must piece together the necessary security components. This can lead to isolated or daisy-chained “point” products that are a challenge to maintain. Cato Networks, on the other hand, fully converges security into the network itself so that it is holistically available to all users across the network. The Cato Approach to Security of SD-WAN Cato believes the DIY approach is just too complicated and may create gaps that leave the enterprise vulnerable to a range of threats. It puts the enterprise in charge of security patches, upgrades, and updates all of which places an unnecessary burden on security administrators. What’s more, deploying a full security stack in each branch location is complex, costly and too much of an administrative burden. The unique characteristic of Cato’s SD-WAN as a service (SDWaaS) is the convergence of the networking and security pillars into a single platform. Convergence enables Cato to collapse multiple security solutions such as a next-generation firewall, secure web gateway, anti-malware, and IPS into a cloud service that enforces a unified policy across all corporate locations, users and data. Cato’s holistic approach to security is found everywhere throughout the Cato Cloud platform: At the PoP – The Cato Cloud has a series of Points of Presence around the world, and this is where customer traffic enters the Cato network. Only authorized sites and mobile users can connect and send traffic to the backbone. The external IP addresses of the PoPs are protected with specific anti-DDoS measures. All PoPs are interconnected using fully-meshed, encrypted tunnels to protect traffic once it is on the network. The Cato PoP software includes a Deep Packet Inspection (DPI) engine built to process massive amounts of traffic at wire speed including packet header or payload. At the Edge – Customers connect to Cato through encrypted tunnels established by appliance devices (called Cato Sockets); IPsec-enabled devices such as firewalls; or client software (for mobile users). These connectivity options support a range of security features to ensure that only authenticated branches and users can connect and remain active on the network. On the Cato Cloud network – Cato Security Services are a set of enterprise-grade and agile network security capabilities, built directly into the cloud network as part of a tightly integrated software stack. Current services include a next-generation firewall (NGFW), secure web gateway (SWG), advanced threat prevention, and network forensics. Because Cato controls the code, new services can be rapidly introduced without impact on the customer environment. Customers can selectively enable the services, configuring them to enforce corporate policies. Next Generation Firewall – The NGFW supports the definition of LAN segments as part of the site context. This helps to isolate specific types of traffic that carry regulated or very sensitive data, such as payment data. The NGFW supports both application awareness and user awareness, so policies can be created according to the proper context. Other features include WAN traffic protection and Internet traffic protection. Secure Web Gateway – SWG allows customers to monitor, control and block access to websites based on predefined and/or customized categories. Cato creates an audit trail of security events on each access to specific configurable categories. Admins can configure access rules based on URL categories. Advanced Threat Prevention – Cato provides a variety of services designed to prevent threats from entering the network, including anti-malware protection and an advanced Intrusion Prevention System (IPS). Security Analytics – Cato continuously collects networking and security event data for troubleshooting and incident analysis. A year of data is kept by default. For details about all these security features and their capabilities, read the white paper Cato Networks Advanced Security Services. Learn about Cato Networks adding sophisticated threat hunting capabilities. The Benefits of Security Delivered from the Cloud Because Cato’s security is delivered as a cloud service, customers are relieved of the burden of maintenance and updates of the devices and services. Nor do customers need to be concerned with sizing or scaling network security, as that is all done automatically be Cato. Customers control their own policies while Cato maintains the underlying infrastructure. As for staying current with threats, Cato has a dedicated research team of security experts that continuously monitor, analyze and tune all the security engines, risk data feeds, and databases to optimize customer protection. Enterprises of all sizes are now able to leverage the hardened cloud platform that is the Cato Cloud platform to improve their security posture and eliminate concerns about SD-WAN security.  

Cato: The SD-WAN Visionary

What’s your vision? At Cato, we know our vision. It’s the power of convergence of networking and security in the cloud. It’s a vision that’s... Read ›
Cato: The SD-WAN Visionary What’s your vision? At Cato, we know our vision. It’s the power of convergence of networking and security in the cloud. It’s a vision that’s transforming the industry and one that has led Cato to be recognized as a Visionary in the just-released Gartner Magic Quadrant for WAN Edge Infrastructure. The question of vision is critical as you refresh your network. For years, enterprise networking leaders have struggled with the complexity and costs of networks built from appliances. Coordinating networking and security was overly complex.  Appliances brought operational costs with them, such as testing and deploying new updates, fixing bugs, and managing the devices day-to-day. As companies refresh their network they can continue to Do-It-Yourself” (DIY) with appliances — and incur the operational burden of maintaining them. Or they can, as we call it, “drop the box” and move networking and security infrastructure into the cloud, consuming the WAN as a service. A converged, multitenant cloud software stack eliminates the traditional operational burden of appliances. It’s not just that eliminating appliances eliminates their associated costs. It’s also that as a single converged software stack for the entire company, we make coordinating the security and networking domains easier. One set of policies for networking and security — everywhere. Changes in the networking domain automatically update security infrastructure. A single-pane-of-glass for everything. Those are just some of the benefits that cloud-based networking in Cato Cloud brings to enterprises. So compelling has the cloud-based networking become that Gartner recommends that companies “Evaluate WAN as a service for your next refresh, even if you have traditionally pursued a DIY approach.” “Evaluate WAN as a service for your next refresh, even if you have traditionally pursued a DIY approach.” — Gartner Software-Defined Carriers Bring A New Breed of WAN As A Service Shifting to the cloud is a new model for many IT professionals, particularly in North America. Managed services have often been associated with rigidity and high costs. Many traditional Communications Service Providers (CSPs), the carriers, are little more than integrators, deploying and connecting third-party appliances with their networks. Customer requests, patches, new services — all require carriers to work with their suppliers who often aren't available or operate on a different delivery schedule than the requesting provider. Even simple network changes need enterprises to open trouble tickets — and then wait and wait some more. But software-defined carriers eschew third-party hardware appliances for a cloud-scale software. They’re like AWS for networking. Amazon’s software provides the basis for organizations to instantiate their own virtual datacenters, the software-defined carrier provides the software for enterprises to run their own SD-WANs. And like AWS, Cato maintains the underlying infrastructure while enterprises retain management and control over their own networks. The result of which is leaner, nimbler model than traditional services. With a single multi-tenant software stack, the costs of delivering SD-WAN, security, and more are far lower than stitching together separate can choose any provider for their local loop service. And by being able to manage their network themselves, IT retains the kind of control previously only found in the DIY approach.   Beyond the Magic Quadrant, Cato Continues to Innovate and Grow Since the close of the Magic Quadrant research, adoption of Cato’s cloud-based approach has only grown.  We’ve built the largest, independent cloud-based SD-WAN network in the world with more than 40 points-of-presence (PoPs) around the globe, a third more PoPs than our closest competitor.   We’ve also continued to innovate. In July, we revolutionized the industry with the first, identity-aware routing engine for SD-WAN. Last month, we unveiled the end-to-end, self-healing capabilities of Cato Cloud. And our customer base has grown substantially. Today, more than 200 enterprises with thousands of global locations across Asia/Pacific, Europe, and North America, hundreds of cloud instances, and thousands of mobile users rely on Cato Cloud.  Our customers represent companies of all sizes and industries. From mid-market companies with 50 locations across the globe to enterprises with more than 1,000 locations all have chosen a new vision, the vision of Cato Cloud. And so I ask, what will be your vision? Will you too look to drop-the-box and see how the cloud cannot just revolutionize applications, servers, and storage but the network as well? If so, give us a call for a free demo to see how visionary you can truly be. Gartner, Magic Quadrant for WAN Edge Infrastructure, Analyst(s): Joe Skorupa, Andrew Lerner, Christian Canales, Mike Toussaint, Published: 18 October 2018 ID: G00351467. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Top WAN Issues Faced by Globally Distributed Enterprises

Nationalistic trade wars aside, the world’s economy is truly global, and globally distributed enterprises are aggressively expanding their business into more countries. Growth is especially... Read ›
Top WAN Issues Faced by Globally Distributed Enterprises Nationalistic trade wars aside, the world’s economy is truly global, and globally distributed enterprises are aggressively expanding their business into more countries. Growth is especially brisk in the Asia Pacific region and China in particular. To establish their facilities, companies need reliable and high-performance network connectivity to global data centers both in-region and out-of-region. Companies that are accustomed to the reliability and affordability of high-performance connectivity in North America and Europe might be challenged by WAN issues as they venture into less developed regions. Internet infrastructure is often less developed, which can lead to problems such as packet loss over the last mile. At the same time, MPLS circuits can be quite costly and take many months to install. The two top WAN issues for many global enterprises are the quality of last-mile infrastructure to remote locations and the high latency of global connectivity. Last-mile considerations – Internet last-mile connections in developing countries are often less reliable than in North America or Europe. This may be due to poor physical infrastructure or an oversubscribed connection shared by many businesses (such as with cable or ADSL). The situation is improving with countries upgrading their infrastructure. Still, a reliable Internet link may be unavailable, requiring the purchase of MPLS last mile. Global connectivity considerations – When delivering applications across long distances, latency and packet loss – not bandwidth – will determine application performance. This established fact becomes critical for Asia Pacific connections. The long distances and poor Internet peering between the Asia Pacific, North America, and Europe exacerbate latency. Infrastructure problems and oversubscription can increase packet loss. There are additional considerations for WAN connectivity as well, such as a high percentage of application traffic now going to the cloud, and applications such as voice and video conferencing that require high quality of service. Data and application security also are critically important. Top WAN Issues are Addressed by a Cloud Network Architecture There is now an alternative to the traditional approach of using global MPLS services to build a WAN that can address all the issues of last mile connections, latency and packet loss across distances, cloud usage, quality of service, and network security. The new model to meet the networking needs of globally distributed enterprises is a cloud network, also known as software-defined WAN (SD-WAN) as a service. Cloud networks revolutionize global connectivity. Using software, commodity hardware, and excess capacity within global carrier backbones, cloud networks provide affordable SLA-backed connectivity at a global scale. Cloud networks deploy edge devices to combine last mile transports, such as fiber, cable, xDSL, and 4G/LTE, to reach a regional point-of-presence (PoP). From the regional PoP, traffic is routed globally to the PoP closest to the destination using tier-1 and SLA-backed global carriers. By keeping the traffic on the same carrier backbone worldwide, packet loss is minimized, and latency can be guaranteed between global locations. What’s more, a range of optimizations can be applied to get even better performance across both the “middle mile” as well as the last mile. The middle mile – i.e., the global backbone of the private cloud network – is typically engineered to have zero packet loss. As for the last mile, some cloud network providers are able to apply packet loss mitigation techniques to regenerate lost packets traversing this portion of the network, thus ensuring high quality service. This global networking model extends to cloud services as well. Traffic to SaaS applications like Salesforce.com and Office 365, or to cloud data centers such as Amazon AWS and Microsoft Azure, will exit at the PoP closest to these services—in many cases within the same data center hosting both the PoP and the cloud service instance. This is a dramatic improvement over the unpredictable public Internet and a significant cost saving versus the expensive MPLS option. Additional features can provide even more benefits to using a cloud network. For instance, a known challenge to having a WAN presence in China is “the Great Firewall of China.” Due to regulatory oversight, traffic leaving the country must be inspected by a central firewall which enforces Chinese regulations regarding the use of Internet and cloud services. As a result of this policy, global Internet-based connectivity from China exhibits high packet loss and high latency. However, a cloud network with a government-approved link can allow traffic exiting China to enjoy consistent low latency and zero packet loss as traffic is optimally routed to all global enterprise locations and cloud applications. A cloud network also has inherent network security, which enables customers to enforce centralized security policies on WAN and Internet traffic without distributed firewalls. This reduces the cost and complexity of IT services in the remote locations. Conclusion As the global economy becomes even more intertwined, distributed enterprises will be reaching further into new regions where they can produce and sell their goods and services. This global marketplace must have the support of reliable and high-performance network capabilities to sustain and grow the businesses. A global cloud network facilitates the reach and performance these enterprises need, now and into the future. You may also be interested in: How to Deliver Reliable, High-Performance WANs into Asia Pacific and China

Cato Extends Self-Healing, End-to-End for Enterprise SD-WANs

With hurricane season upon us, IT already has too many examples of the importance of high availability planning. But building in local redundancy isn’t enough... Read ›
Cato Extends Self-Healing, End-to-End for Enterprise SD-WANs With hurricane season upon us, IT already has too many examples of the importance of high availability planning. But building in local redundancy isn’t enough when floods or hurricanes hit. You need to think through the multiple layers of failover across the entire networking and security infrastructure. Yes, that’s usually going to require hours of extensive testing and specialized skills to be done right. Which is why Cato is enriching the self-healing capabilities of Cato Cloud. Rather than global enterprises having to think about every possible networking failover scenario, Cato Cloud now heals itself end-to-end, ensuring service continuity. We've fully converged self-healing into our security and networking cloud platform for follow-the-network security rules. We’ve also extended Cato Cloud datacenter support with a new SD-WAN device, the Cato Socket X1700. (Dive deep into Cato’s self-healing capabilities and high availability architecture in this whitepaper.) Digital Transformation Relies On Network Stability Both introductions are incredibly important, particularly as organizations undergo digital transformation. The network has truly become the computer. Without a stable, consistent networking experience process re-engineering, digital transformation, and IT efforts to bring value to the business would be impossible. But as so many of you have told us, delivering an always-on network is far from easy. With traditional enterprises, all edge appliances needed for connectivity, from SD-WAN appliances to supporting security devices, must be made redundant. With each appliance pair, recurring costs grow for the additional equipment. There are also significant operational costs involved to ensure HA works. It’s not just a matter of guaranteeing connectivity in the face of a blackout or component failure. Every appliance pair must be tested alone and with the rest of the HA measures built into your IT infrastructure. Otherwise, you’re likely to find that despite connectivity, users are still unable to access a service or application resource due to a failure to update policies in the security infrastructure or some other aspect of the network. With the shift to the Internet and SD-WAN, network designers must also consider alternate pathing between locations and how to compensate for the unpredictable Internet in their global network. What happens if that flood or hurricane hits your provider’s facilities? Have you planned for secondary failover? Tertiary failover? Cato Cloud: The Self-Healing SD-WAN Self-healing capabilities of Cato Cloud eliminate the complexity of high availability planning. The network ensures service continuity by remediating network failures, updating the security infrastructure, and adapting workflows according to business priority. Edge device failure, network transport failure, failover to a disaster recovery site, moving apps between datacenters or cloud providers and more — Cato Self-Healing SD-WAN solves network problems without requiring IT intervention. Cato does this on several levels. Even before today’s announcement, Cato Cloud replaces the myriad of appliances, VNFs, and standalone services complicating HA configuration with a single processing software engine for routing, optimizing, and securing all WAN and Internet traffic. The processing engine is fully maintained by Cato and distributed across a cloud-scale global network of points of presence (PoPs). With a “thin-edge,” there are fewer devices to fail or require HA design, improving uptime. In addition, Cato is announcing an enhancement that allows Cato’s security rules to change dynamically with the network. Typically, as workloads move between locations or applications failover to disaster recovery sites, IT must manually update policies in firewalls and other security or networking appliances. With follow-the-network security rules, Cato’s self-healing algorithms use enhanced BGP capabilities to detect new IP ranges and automatically update all relevant policies for zero-touch service continuity. All of which guarantees that when the connectivity is restored, outdated security rules won’t break the application service. Cato is also introducing a new SD-WAN device, the X1700 Socket, for large datacenters. The rackable device comes with redundant power supplies and hot-swappable hard drives. Like the X1500, Cato’s branch SD-WAN device, the X1700 comes with HA for no additional recurring charge. Self Healing Across All Four Networking Tiers In total, Cato Cloud monitors, discovers problems, reconfigures, and adapts all four tiers of the enterprise network — device, site, region, and global —  in real-time: Device — The X1700 Socket protects datacenters against the most common component failures. Site — All Cato Sockets can be configured in HA mode. If a primary Socket fails, the standby Socket automatically takes over. Cato also creates an overlay across multiple last-mile services, protecting the site from a blackout or brownout in any one last-mile service. The HA capability is included in the service at no extra recurring cost. Regional — Cato Sockets automatically connect through encrypted tunnels to the nearest Cato PoP. Cato PoPs contain multiple compute nodes running Cato’s fully-distributed software stack. Should a compute node fail, the SD-WAN tunnels will automatically move to an available compute node in the same PoP. Should a Cato PoP become unreachable, the Cato Sockets automatically rehome their tunnels to the next closest PoP. Should the secondary PoP become unreachable, Cato Sockets will continue looking for available PoPs. Global — Cato PoP are interconnected by Cato’s SLA-backed global network, eliminating the unpredictability of the Internet core. The Cato Cloud network is comprised of an overlay between Cato PoPs across multiple tier-1, SLA-backed carriers. The Cato PoPs monitor the carriers in real-time for network performance, selecting the optimum network for every packet. Should one carrier fail or experience a brownout, traffic is automatically routed across alternate carriers, and possibly through alternate Cato PoPs, giving the Cato Cloud network far better availability than anyone underlying carrier. To learn more about Cato’s Self-Healing SD-WAN and how Cato improves uptime across tiers of the global networks, read our in-depth whitepaper here.

What Enterprises Say about Cato’s SD-WAN

Marketers have their brochures; engineers have their test reports, but nothing is more compelling when selecting an SD-WAN than real-life experience. The “proof” truly is... Read ›
What Enterprises Say about Cato’s SD-WAN Marketers have their brochures; engineers have their test reports, but nothing is more compelling when selecting an SD-WAN than real-life experience. The “proof” truly is “in the pudding,” as they say. Today’s blog takes a look at some challenges real customers faced with their WAN infrastructure, and how Cato Networks was able to help. Paysafe Group Both executives and users were frustrated with being unable to access corporate resources when visiting different Paysafe offices. A productive and functioning user mobility platform became a strategic focal point. Paysafe decided to replace its mix of MPLS and Internet-based VPN with Cato Cloud to create a single converged network. For a fraction of the price, the Cato Cloud solution improved in performance compared to the Internet VPNs and is on par with MPLS. Paysafe’s Infrastructure Architect, Stuart Gall, comments “During our testing, we found latency from Cambridge to Montreal to be 45% less with Cato Cloud than with the public Internet, making Cato performance comparable to MPLS.” Pet Lovers With over 100 stores and franchises connected with Internet-based VPNs, Pet Lovers had security concerns as only the datacenter and four stores had firewall protection in place. Adding firewalls and other security appliances at each store was too expensive, slow to deploy, and would be difficult to manage. Although MPLS was considered as a possible solution, they decided it would be too expensive and too slow to deploy. David Whye Tye Ng, the CEO and executive director at Pet Lovers, made to decision to go with Cato Cloud. The solution appealed to Ng because in addition to aggregating traffic from all locations into a common SD-WAN, the solution includes FWaaS (firewall as a service) so they could secure every location without deploying firewall appliances. “Hooking up all my stores in eight countries and being able to precisely and clearly manage them from a single dashboard was a major win for going with Cato,” he says. DSM Sinochem Pharmaceuticals (DSP) The IT team at DSP was facing several problems that needed to be addressed. Their 10-site global MPLS network was congested, the end-user experience was slow, the MPLS network was expensive, and moving locations took 3-4 months. Matthieu Cijsouw, Global IT Manager, and his team were able to transition to Cato Cloud in about one month, with actual cutovers taking approximately 30 minutes. The solution reduced costs while increasing bandwidth. According to Cijsouw, the performance to their office in China now works equally or “even better” than with MPLS. He summarized his experience: “Product delivery, support have all been there. With Cato Cloud, not only did I receive a more agile infrastructure, but I also received an agile partner who can keep up with my needs. We operate faster because of Cato.” Fisher & Company Fisher had a complex global MPLS network that faced challenges including high costs, limited bandwidth, backhauling that created a single point of failure and a fractured management platform that made administration of MPLS and security a painful process. Fisher turned to Cato’s SD-WAN service with an affordable, global, SLA-backed backbone. Although drastically cutting costs, application delivery actually improved. Systems Manager Kevin McDaid notes, “Users definitely feel it in their user experience. Things like screen refreshes of our ERP system, seem to be a lot quicker with Cato.” Additionally, Fisher now has control and visibility of the network and security infrastructure from just one interface. Alewijnse Alewijnse had an MPLS mesh network with a datacenter and ten other sites with three other locations connected via Internet VPN. Issues of poor Internet and cloud performance, MPLS costs, security, and IT agility prompted the manager of ICT, Willem-Jan Herckenrath, to consider other options. The search for a simpler WAN design that addressed security and mobile concerns as well as reduces costs led them to Cato Cloud. The increased bandwidth and elimination of the Internet backhaul improved Internet performance. “With Cato, we got the functionality of SD-WAN, a global backbone, and security service for our sites and mobile users, integrated together and at a fraction of the cost,” Herckenrath says. FD Mediagroep (FDMG) With many journalists working in physical offices as well as in the field, FDMG had a complex network of MPLS and remote access solutions. Maintaining separate security policies for fixed and mobile users and cost and scaling limitations of MPLS were among the problems they were facing. Jerry Cyrus, Technical Team Leader and Information Security Officer (ISO), says although the initial goal was to reduce WAN costs, the value in other aspects were achieved when moving to Cato Cloud. “We’re spending about 10 percent less with Cato than with MPLS,” says Cyrus. “Our savings are even greater if we factor in the licensing, installation, and management costs associated with the VPN concentrator...With Cato Cloud, I increased bandwidth, replaced two things with one solution, improved user experience, maintained performance and uptime, and made IT more agile. That’s what I call a huge win.” W&W-AFCO Steel As the company grew, the structural steel fabricator realized the Internet-based VPN network was becoming increasingly ineffective. With an office in the US, India, and remote-based ad hoc project teams, essential tasks over the network either were painfully slow or just wouldn’t work at all because the latency, on average, would reach 150ms. An MPLS solution was determined to be too expensive of a solution, so they turned to SD-WAN with Cato. Vice President, Todd Park, appreciates the agile infrastructure and improved performance. “Cato firewall is much easier to manage than a traditional firewall and the mobile client was much easier to deploy and configure than our existing approach,” he says. Latency improved to averages of “50 to 70 milliseconds,” he says. And with Cato, they can now block web browsing, downloads, or other applications from interfering with site performance. To learn more about Cato Cloud, register for a demo today.

Top 5 Myths About SD-WAN

MPLS has been a popular choice for enterprise networks for many years. Despite the relatively high costs, MPLS can deliver SLA-backed performance required for today’s... Read ›
Top 5 Myths About SD-WAN MPLS has been a popular choice for enterprise networks for many years. Despite the relatively high costs, MPLS can deliver SLA-backed performance required for today’s applications. Although it has almost legendary status, every legend develops myths. Let’s take a look at five myths about MPLS: Myth 1: MPLS is Necessary for Enterprises that Demand High Availability networks are known for high uptime, but it’s not the only option when high availability is required. SD-WAN is a flexible solution that integrates low-cost Internet transports into a virtual WAN connection. Utilizing multiple links and additional features such as load balancing, and real-time monitoring of circuit health and performance, SD-WAN can achieve the required high availability today’s enterprises demand. Achieving high availability by having more than one circuit is great, but SD-WAN can also mix circuit types, such as fiber and 4G, to guarantee physical-layer redundancy. Myth 2: The Entire Network Needs to be Built with MPLS Businesses have embraced cloud applications for ease of access and lower costs. But these applications live outside the corporate network and the MPLS network doesn’t connect to the cloud. For companies who are heavily invested in their current MPLS infrastructure can take a hybrid approach and add SD-WAN to provide improved access to the cloud. Rohit Mehra, vice president of network infrastructure at IDC, notes, “SD-WAN will be particularly relevant for enterprises that have adopted or are adopting hybrid cloud and especially those that are availing themselves of SaaS application services.” Another scenario for MPLS augmentation with SD-WAN is opening a new office or moving to a new location. Provisioning new MPLS circuits is notoriously slow and SD-WAN can be used in situations where agility is required. This also holds true if cost is an issue as SD-WAN can be less expensive to deploy. Myth 3: MPLS is Secure On it’s own, MPLS doesn’t employ security protocols. The security is based on the VLAN implementation; MPLS is technically a shared medium with customer traffic marked to be in its own VLAN. They are not vulnerable to the kinds of attacks seen on the Internet, since hackers can't get to them, which is why they're perceived as being secure. However, because traffic is sent in the clear, they are vulnerable to wiretapping. Many MPLS customers today add VPN encryption to secure the network. MPLS also does not prevent malware from propagating between MPLS-connected sites. Most often, MPLS configurations backhaul traffic to a datacenter and rely on the firewall at the datacenter to provide security. Optionally, some SD-WAN providers offer solutions with converged security using a single-pane-of-glass with event correlation of network and security traffic. Myth 4: MPLS is the Only Networking Option for Enterprises in China With the recent crackdown on VPN connections in China, many believe MPLS is now the only way to go. In reality, VPN is still an option but the connection must be officially registered with the Chinese government. MPLS is an alternative, but provisioning a circuit in China can take months, maybe even years to complete. SD-WAN providers that are approved and registered with the Chinese government can provide connectivity to China without the cost and lengthy provisioning process of MPLS. SD-WAN connectivity also means the connection will not be blocked by “The Great Firewall of China”, which is notorious for creating packet loss and latency issues. Myth 5: MPLS is the Only Option for Global Networks SD-WAN technology has gone from an emerging technology to mainstream in 2018. According to research firm IDC, SD-WAN revenues will reach $2.3 billion in 2018 and more than $8 billion by 2021. But some see SD-WAN as no more than a regional solution because using public Internet connections internationally introduces unpredictable performance. However, this is not the case for SD-WAN providers that have a global private backbone to ensure traffic is optimized and securely delivered around the globe. SD-WAN also holds an advantage over MPLS for global users accessing cloud resources. With only an MPLS backbone, users backhaul to the enterprise HQ then out to the cloud incurring long delays, or they access cloud resources over the public Internet incurring higher the cost of additional security infrastructure. With a global SD-WAN infrastructure, users from anywhere in the world can access cloud applications and other corporate resources from across the global backbone and expect high-performance connectivity. The WAN, the Myth, the Legend MPLS has earned and is deserving of its legendary reputation for reliability and performance. But when it comes to the nuts and bolts of running a business, it’s important to rely on the facts and not merely the myths of any solution. SD-WAN has become a viable option for enterprise networks and can complement an existing MPLS network to overcome obstacles such as cost, agility, availability, and cloud access. Learn more about WAN, MPLS, and SD-WAN technologies at Cato Networks blog.

Understanding the hidden costs of virtual CPE

One of the interesting adjacent markets of SD-WAN is network functions virtualization (NFV) where it becomes possible to run branch and network services as virtual... Read ›
Understanding the hidden costs of virtual CPE One of the interesting adjacent markets of SD-WAN is network functions virtualization (NFV) where it becomes possible to run branch and network services as virtual workloads. There are many benefits to virtualizing network functions such as increased agility, speed of deployment, and centralized management. ZK Research strongly recommends companies look at virtual services as part of their SD-WAN strategy. As part of that decision, network professionals need to consider how and where these virtual services should reside. One option is to run standalone virtual services as individual virtual CPE (vCPEs) on physical appliances, such as routers or servers. The other option? Run them as shared, multi-tenant, cloud-resident services. Good and Bad of vCPE Many engineers have leaned towards vCPE as the on-premises model mostly because it mirrors what is in place today. Routing functions tend to run in, well, routers, firewall functions tend to run in firewalls. Relying on vCPE has that same familiarity. Replicating the old model provides some value, namely the consolidation of hardware infrastructure. There’s also an obvious cost advantage of using vCPE and not separate hardware appliances. But there are some hidden costs that buyers should be aware of: Device scaling: Even though the services are virtual, they still need to run on a hardware appliance. Most edge appliances are optimized for cost, which constrains the amount of computing available on the box itself. The virtual services may run fine in a lab and at deployment time. Over time though, the amount of horsepower required to run the services goes up as more network traffic and data is generated. When this happens, the device runs out of juice and IT is left playing a careful balancing act. Upgrade the hardware or start turning services off. This can be particularly damaging to security as turning off some features might leave the organization open to being breached. Maintenance of appliance: If there’s an appliance, it will need maintenance to ensure patches, firmware, operating system, software, and other things are kept up to date. Even in a managed services scenario, where the service provider handles this, the costs are still there but might be hidden from the customer and presented in the form of higher monthly charges. If there’s hardware, there will be maintenance costs and, on average, this runs at about 25 cents per year for every dollar initially spent. Management complexity: The virtual services may be co-resident on the single appliance but in actuality, they are still distinct appliances that require independent management. Each one would have its own management console, updates and configuration changes. Also, since the vCPE are their own domains, the data isn’t integrated at all so gaining insights from the data collected requires manual integration of the data, which can be difficult, if not impossible. An appliance is still an appliance, no matter what the format. Businesses that choose to go that route do not get any of the cost or elastic benefits afforded by the cloud and the management model remains the same, which is one of the biggest challenges in running a global network. A Different Approach The other option is to run virtual services in the cloud. In this scenario, the only equipment needed on premises is a small, appliance for moving traffic into the cloud for processing. From there, the services are optimized and secured in the network removing the burdens of device scaling, appliance maintenance costs, and management complexity from the customer. Virtual CPE may seem appealing but changing the network without changing the service layer is like upgrading the body of a car and leaving the old engine in place. SD-WANs came into existence because the cloud changed traffic patterns. It makes sense that the service and management layer would move to the cloud to give those services the same level of elasticity, agility, and manageability as the network now has. A good way to think about the relationship between SD-WANs and virtualizing network functions is that the former brings agility to network transport and the latter creates agility at the network and security service layer. Doing one without the other is only solving half the problem.

A New Approach to SD-WAN Management

For a while now, there have been two basic SD-WAN solutions offering a choice between DIY (appliance-based) or fully managed (service-based) solutions. Each choice has... Read ›
A New Approach to SD-WAN Management For a while now, there have been two basic SD-WAN solutions offering a choice between DIY (appliance-based) or fully managed (service-based) solutions. Each choice has its advantages, but they also have distinct disadvantages. Being at opposite ends of the spectrum, customers are increasingly preferring an SD-WAN solution that encompasses the advantages of both solutions. In essence, they want a solution that is managed as an appliance but provided as a service. Comparing Both Ends of the Spectrum An appliance-based solution allows organizations to manage and direct their SD-WAN solution and utilize various Internet connection options, rather than being tied to a particular carrier. The customer has the ability to make changes to the network and update any security policies when they choose. In contrast, a service-based solution is provided and managed by a particular carrier. The carrier provides any needed appliances and a private network with security features included in the package solution. Enterprises who have implemented an SD-WAN appliance-based solution have typically encountered three common problems. Erratic Internet - The autonomy of using a variety of Internet connections means there is no carrier-backed SLA provided to protect against latency and unpredictability. With no backbone to send traffic over to provide consistent connectivity, Internet connections are unpredictable. Internet performance simply fluctuates too much moment-to-moment and day-to-day, particularly when connections cross between backbones or Internet regions, to deliver the predictable performance needed for enterprise-grade voice and other critical applications. No Security - SD-WAN appliance solutions don’t provide any security, so security must be added to the solution via service-insertion or service-chaining. When moving from MPLS to SD-WAN appliances, each location will now have its own connection to the Internet. How will they secure all of the Internet access points created by SD-WAN? By expanding the attack surface, every office with DIA now requires the full range of security services including next-generation firewall (NGFW), IDS/IPS, sandboxing and more. Patching upgrades and capacity planning, now for many locations, needs to keep pace with increasing traffic loads and a growing threat landscape. Integration Challenges - Missing components that a service provider can provide, such as SLA backbones and security services, are significant gaps in the solution. No SD-WAN appliance addresses mobile users or is inherently suitable for the cloud. Once companies deploy SD-WAN, there is still the problem of connecting and protecting mobile users and providing secure access to cloud resources. The Shift Away From DIY It’s no wonder that, when polling organizations using SD-WAN, research shows growing service adoption.  About 30% of respondents in 2017 indicated they were using a service provider for SD-WAN, a number increased to 49% in 2018. This 19% jump suggests the issues with appliance-based SD-WAN motivated some organizations to move to a service-based solution. However, let’s not forget, carrier-managed SD-WAN services have their own set of challenges: Cost - The components of a carrier-based solution aren’t much different from an appliance-based solution. In reality, they’re just wrapping third-party SD-WAN and security appliances with the existing carrier networks and charging for the packaged solution. Agility - With a managed service, your hands are tied. The network and security services are managed by the carrier, and the customer must rely on the carriers' support services for any needed changes. Simple changes, such as firewall rules, could take a couple of days. Bad Service - Not all carriers have a reputation for exceptional service. Committing to one service provider could mean paying for a service that isn’t necessarily good service. Self-service SD WAN Allows For Flexibility The advantages of SD-WAN are undeniable, but organizations today would like to see the benefits of both appliance and managed SD-WAN solutions without the drawbacks. There is an SD-WAN solution that brings the best of both into one solution – self-service SD-WAN. Most SD-WAN and network security capabilities move from appliances on the customer premises into the cloud provider’s core. The SD-WAN as-a-service provider maintains the underlying shared infrastructure — the servers, storage, network infrastructure, and software — allowing enterprises to modify, configure and manage their SD-WAN as if they ran on their own dedicated equipment. Enterprises gain the best of both worlds of low-cost shared infrastructure and the flexibility and performance of dedicated devices. With a self-service solution, the customer is in control of changes the business requires, costs are reduced, and repair time is improved. Technology has shifted, and businesses require an agile WAN infrastructure with the ability to roll out sites in days, not weeks or months. The WAN is transforming into a resource that connects mobile, SaaS, IaaS, and offices that requires more than simple connectivity. Intelligence, reach, optimization, security are attributes the WAN needs today, and a self-service SD-WAN as a Service solution brings all the advantages of SD-WAN into one solution. The Cato Cloud from Cato Networks provides a self-service solution and optimizes both the last mile between the customer edges and the Cato PoPs, and the middle mile on the Cato global backbone, Cato Cloud provides a Management Application that enables full traffic visibility for the entire organizational network and the ability to manage a unified policy across all users, locations, data, and applications. The Cato Cloud environment is managed by Cato’s global Network and Security Operations Center, manned by a team of network and security experts to ensure maximum uptime, optimal performance and the highest level of security. Find out how Cato Networks can transform your WAN by subscribing to our blog.

Back to School with SD-WAN

We have all seen the signs that a new season has begun. No, we’re not talking about the fall season – it’s back to school... Read ›
Back to School with SD-WAN We have all seen the signs that a new season has begun. No, we’re not talking about the fall season – it’s back to school season! The season is filled with shopping for school supplies and a new outfit for the first day. So in the spirit of the season, we’ve decided to create a curriculum for learning everything you wanted to know about SD-WAN. SD-WAN Curriculum and Resource Materials Here are five resources of information to understand SD-WAN, but also about other technologies that impact SD-WAN. Reviewing these resources will provide a solid foundation for understanding SD-WAN in today’s technology landscape. Including these resources in your studies will help to make you the smartest person in the room. Networking 101: Networking Glossary Networking and WAN have a language of their own, with new terms being added as new technologies emerge. Knowledge and awareness of these terms are necessary when evaluating your WAN solution. Learn some of the need-to-know terms to add to your tech vocabulary such as NFV (Network Functions Virtualization) and Internet backhaul. Learning these terms will help you when discussing different WAN solutions, technical challenges that must be addressed, and security considerations for the enterprise network. Foundations of WAN: MPLS, SD-WAN, and the Promise of SD-WAN as a Service MPLS has been a staple of enterprise networks for years, but business networks are changing. IT managers are realizing it’s time to reconsider their network architectures. Find out more about the challenges that legacy WAN infrastructures are being faced with today, such as provisioning time and cost issues, and how SD-WAN addresses those challenges. However, not all SD-WAN solutions address these challenges equally. This resource can help you understand the differences between an SD-WAN appliance-based solution and SD-WAN as a service solution. The Origin of WAN: The Evolution of SD-WAN Initially, the adoption of SD-WAN was driven by budgetary constraints of legacy WAN infrastructure. Over time, the driving factors for SD-WAN have evolved to include agility, performance, and connectivity to cloud and mobile resources. It’s beneficial to learn the history behind technologies such as MPLS and SD-WAN and the forces behind these changes. The changes in SD-WAN can be broken down into three phases that reflect how it has adapted to the demands of business requirements. An SD-WAN solution that incorporates all three aspects of WAN transformation into one solution can simplify an otherwise complex environment. Critical Thinking – WAN Strategies: MPLS, SD-WAN, Internet, and the Cloud The WAN ties together the remote locations, main office, and data centers of every enterprise. But today’s enterprises now also include cloud resources and mobile workforces that need optimized and secure connectivity. Gain insight into choosing the best networking technology by comparing the different connectivity, optimization, and security options for the next generation WAN. This resource will also increase your understanding of securing legacy WAN, SD-WAN, and cloud traffic. Business Economics: The Business Impact of WAN Transformation with SD-WAN No doubt SD-WAN is a hot technology right now, but IT and business leaders need to justify the investment. A move to SD-WAN should be initiated by a solid business case with positive business impacts. Find out how SD-WAN can meet objectives such as improving network capacity, availability, and agility to increase user productivity; optimize global connectivity for fixed and mobile users; enable strategic IT initiatives such as cloud infrastructure and application migration. By addressing these objectives with SD-WAN, businesses can ensure a return on investment. Final Tips From the Instructor After completing the outlined curriculum, you should feel confident in your understanding of SD-WAN and related technologies. With a solid foundation of knowledge, there are many topics regarding SD-WAN and business impacts that can deepen your understanding even further. SD-WAN is an exciting technology that is transforming enterprise infrastructures to meet today’s business requirements. You are encouraged to keep learning about the latest developments in the SD-WAN industry. Subscribe to Cato Networks blog to stay informed and help you be the head of the SD-WAN class. Class dismissed!

The SD-WAN Features Needed to Accelerate Global Application Delivery

SD-WANs are the go-to alternative for enterprises looking to reimagine their networks. With the right mix of SD-WAN features, IT can improve agility, availability, and,... Read ›
The SD-WAN Features Needed to Accelerate Global Application Delivery SD-WANs are the go-to alternative for enterprises looking to reimagine their networks. With the right mix of SD-WAN features, IT can improve agility, availability, and, yes, even lower their network transport costs. Where SD-WAN Falls Short And yet for all of the good cheer promised by SD-WAN, anyone who’s tried to deliver a global network using the Internet must confront the problem of unpredictable SD-WAN performance. Traditional SD-WAN features focus on selecting the best path, not providing a better path. Within test environments or regional networks, these limitations may not be apparent. But as distance grows, latency mounts. Add in the latency from the indirect paths Internet routing will select when sending packets, and it’s easy to see how latency will become too high for enterprise-grade communication. There are too few “good” routes available. And if no “good” paths exist through the network, there’s little an SD-WAN can do to compensate. Which Tradeoff to Choose? Few enterprises can risk sacrificing application performance and worker productivity in exchange for lowering their telecom costs. But what’s the alternative? You can play it safe by retaining a pricey MPLS circuit at each branch location and configuring your SD-WAN to route latency-sensitive traffic over it when Internet links are congested. That works but takes a big bite out of your cost-cutting efforts. We believe there’s a better option: one that retains Internet economics while bumping up network characteristics to be on par with MPLS. The approach calls for a global, private backbone to eliminate the Internet’s performance issues across distance and instead rely on the Internet for what it does best: access. SD-WAN as a Cloud Service Cato Cloud, an SD-WAN as a service (SDWaaS). Cato Cloud is built on a global, affordable private backbone leased from multiple tier-1 IP service providers with SLA-backed capacity. And as a private backbone, the Cato Cloud network incorporates the key SD-WAN features needed to avoid the congestion, latency, and packet loss problems that plague the Internet. But a global backbone isn’t the only SD-WAN feature Cato Cloud provides for building a predictable, global network. Key SD-WAN Features of Cato Cloud Optimized traffic flows. We individually optimize traffic flows in the last mile (from customer location to PoP) and in the middle-mile (from PoP to PoP). Your traffic avoids Internet peering exchanges, where Internet providers hand off traffic to one another. So your traffic isn’t subjected to the congestion and sudden spikes in loss and latency that often occur in these locations. Bandwidth management and control.  We run an encrypted software-defined overlay across all the backbone segments of our cloud infrastructure. The overlay uses application-aware routing and analyzes latency and loss statistics gathered from each backbone to select the optimum route, based on current network conditions. We also apply quality of service (QoS) capabilities, such as application and protocol priority marking, to ensure the performance of latency-sensitive, real-time applications. Redundancy and failover. Like any Internet service, we take advantage of the redundancy inherent in the existing Internet infrastructure. Connecting our PoPs with multiple tier-1 IP backbones for diversity is one element of the redundancy built into Cato Cloud. PoP components can also take over for another in the event of a component failure. And if one PoP should become unreachable for any reason, we route traffic to another PoP.   The result is an SD-WAN that can deliver the kind of availability and uptime typical of MPLS services but at a fraction of the cost. To learn more, read our blog about the impact of route diversity on SD-WANs. Are Legacy SD-WANs ‘Good Enough?’ SD-WANs generally do a good job of choosing the best path to their destination, factoring in the application’s level of latency sensitivity and balancing those performance requirements against cost. But without a global, private backbone, an SD-WAN must depend on the Internet, and Internet performance remains unpredictable - especially over global distances. Your SD-WAN might be able to dynamically pick the least-congested path, but you’re out of luck if all the available paths happen to be congested. Avoiding this either/or conundrum is the goal of Cato Cloud. It delivers Internet economics with MPLS reliability and performance. Budget-strapped enterprises no longer have to risk performance hits to meet their requirements. SD-WAN-as-a-service applies the private networking concepts inherent in MPLS to IP networks. To learn more, read our white paper, “The New WAN: Why the Private Internet Will Replace MPLS.”

Backbone Performance: Testing the Impact of Cato Cloud’s Optimized Routing on Latency

It’s no secret that the Internet has a love-hate relationship with performance. Tidy and quick one day, slow and sluggish the next — Internet connections... Read ›
Backbone Performance: Testing the Impact of Cato Cloud’s Optimized Routing on Latency It’s no secret that the Internet has a love-hate relationship with performance. Tidy and quick one day, slow and sluggish the next — Internet connections are anything but predictable. Which begs the question: how can an SD-WAN perform well if it’s based on the public Internet?   The key is replacing the Internet core with a managed network. Simply taking a more direct path across the middle mile helps reduce latency. However, latency can be reduced even further by looking at the network more holistically, as we recently saw when analyzing Cato Cloud performance. So often a straight line across an IP network is not the shortest distance. Latency is a middle-mile issue A recent study showed once again that latency in an Internet connection is a matter of the middle mile, not the last mile.  The testing conducted by SD-WAN Experts compared latency across public Internet connections, isolating last mile from middle-mile performance, and that of a private backbone, namely Amazon’s AWS network. The results showed that although the last mile proved to be more erratic than the middle mile, the impact on the overall connection was negligible. “What we found was that by swapping out the Internet core for a managed middle mile makes an enormous difference,” writes Steve Garson, president of SD-WAN Experts. “The latency and variation between our AWS workloads were significantly better across Amazon’s network than the public Internet.” The reason for the problems in the Internet middle mile are well known. Routers are built for fast traffic processing and are therefore stateless. Control plane intelligence is limited as there’s little communication between the control and data planes. As such, routing decisions are not based on application-requirements nor the current network levels of packet loss, latency, or congestion for each route. Shortest path selection is abused: Service providers’ commercial relationships often work against the end user interest in best path selection. In short, the Internet moves traffic forward based on what’s best for the providers, not the users or their applications. Cato Cloud fixes the middle mile Cato replaces the Internet middle mile with a private network, the Cato Cloud network. Cato PoPs constructs an overlay across SLA-based, IP transit services from multiple tier-1 providers. With SLA-backed IP transit, Cato can route traffic globally on a single provider and avoid the loss and congestion issues associated with traffic handoffs that occur at Internet exchanges Cato further improves the connection by monitoring the real-time conditions across its providers, selecting the optimum path across Cato Cloud for every packet. The optimum path is not always the most direct one, though. Case in point was a recent example between two Cato PoPS, one in Virginia and the other in Singapore. In this case, the Cato software evaluated the round trip time (RTT) across the direct path between Virginia and Singapore but identified a better, indirect, route, via Dallas.   Cato Cloud’s direct path showed an RTT of 227 milliseconds, about 5% less latency than the typical RTT (240ms) for Internet connections between Singapore and Ashburn. Routing through Dallas, though, showed a lower RTT of 216 ms, shaving 10% off of Internet RTTs and providing latency comparable to what you might expect from MPLS services — at a fraction of the cost. [caption id="attachment_5533" align="aligncenter" width="939"] We calculated round-trip times, measuring latency from Virginia to Singapore (1) and Singapore to Virginia (2) for both optimized and direct paths (3)[/caption] The latency impact  A ten percent savings is particularly significant as organizations look at real-time application delivery. Voice, remote desktop — these applications are sensitive to the kind of latencies seen on connections between the Asia Pacific and North America. The latency on these connections is already at the edge of impacting the user experience.  As Phil Edholm recently explained, we naturally wait 250 to 300 milliseconds before speaking again in a voice conversation. A 10 percent savings in latency can make the difference between an intelligible call and an unintelligible one. For too long, organizations had to choose between the cheap public Internet, and its unpredictable global connectivity attributes, or an expensive, but solid, global MPLS connection. Independent backbones, like Cato Cloud, offer a way out of that trap. By selecting the optimum path across affordable IP backbones, be it direct or through another city, Cato Cloud can give companies MPLS-like performance at Internet-like prices.

What is SD-WAN?

The way in which organizations work is changing. Work is done in more places and the Internet has become central to how business is conducted.... Read ›
What is SD-WAN? The way in which organizations work is changing. Work is done in more places and the Internet has become central to how business is conducted. This means that corporate networks must change as well. The answer —  Software-Defined Wide Area Networks (SD-WANs). SD-WAN brings unparalleled agility and cost savings to networking. With SD-WAN, organizations can deliver more responsive, more predictable applications at lower cost in less time than the managed MPLS services traditionally used by the enterprise. IT becomes far more agile, deploying sites in minutes; leveraging any available data service such as MPLS, dedicated Internet access (DIA), broadband or wireless; and being able to reconfigure sites instantly. SD-WAN does this by separating applications from the underlying network services with a policy-based, virtual overlay. This overlay monitors the real-time performance characteristics of the underlying networks and selects the optimum network for each application based on configuration policies. What’s the Difference between SD-WAN and SDN SD-WANs implement software-defined networking (SDN) principles to connect locations. SDNs first were introduced in the data center with the goal of increasing network by separating the data plane from the control plane. The policies and routing intelligence would run in one or more servers (“controllers”), which would instruct the networking elements forwarding the packets (switches and routers). SDN created an overlay across the local network, opening up a world of possibilities in efficiency and agility. SD-WAN creates an overlay across the wide area network also bringing incredible efficiency and agility gains. How Does SD-WAN Work? An SD-WAN is built on the very powerful idea of separating the network services (such as cable, xDSL, 4G/LTE) from the applications that the organization wants to use. This independence enables the network to be configured to more efficiently optimize those applications. In an SD-WAN, a specialized appliance at the site’s edge connects to the network services, typically MPLS and at least two Internet services. Across those services, the SD-WAN appliance joins a network of encrypted tunnels —  the overlay — with other SD-WAN appliances. Policies configured at a central console are pushed out and enforced by the appliances using policy-based routing algorithms. As traffic comes to the appliance, the SD-WAN software evaluates the performance and availability of the underlying network services, directing packets across the optimum service at any one time and pre-configured application policies dynamically select the optimum tunnel for a specific session based on a number of priorities and network conditions. The world of SD-WANs is evolving. Variations on the basic concept focusing on where the lion's share of the networking and security processing is done are creating a rich set of vendor and service provider choices for organizations ready to move from legacy WAN services. Why Do Enterprises Need SD-WAN? The cloud and high levels of mobility characterize how people use networks today. WANs, however, was designed in an era in which the focus was on linking physical locations. Using the old approach to support the new needs results in expensive global connectivity, complex topologies and widely dispersed “point products” that are difficult to maintain and secure. The unending and cumbersome cycle of patching, updating, and upgrading requires skilled techs, an increasingly scarce commodity. That’s especially distressing because all this complexity is an inviting target for hackers, who can exploit misconfigurations, software vulnerabilities, and other attack surfaces. There are several reasons that legacy WANs no longer are up to the job. MPLS, the focal point of the old approach, is expensive and requires long lead times for deployment to new locations. Legacy WANs only touch the Internet at secure Web portals, usually at the data center. This leads to the "trombone" effect of sending Web data back and forth across networks. The result is added latency and exhaustion of the supply of MPLS links as Internet traffic increase. Direct Internet access, which would link branch offices to the Internet, is expensive and could overwhelm rudimentary branch hardware. Finally, the WAN was designed when the emphasis was on linking physical assets such as offices and data centers. This approach isn't ideal for this new and varied world. What are the Benefits of SD-WANs? SD-WANs reduce bandwidth costs by leveraging inexpensive services, such as Internet broadband, whenever possible.  They can still use dedicated Internet access (DIA) for higher uptime and performance. (DIA is often more expensive than broadband but less than MPLS and comes with some service guarantees.) Cloud and Internet performance also improve because the trombone effect is eliminated. Cloud and Internet traffic are not sent through distant datacenters but directly onto the Internet. The shift to software enables changes of all sorts to be made quickly and from a centralized point. SD-WANs are far more agile, quicker to deploy and less expensive to support in branch offices. Changes are implemented far more quickly, which can save money, increase revenues or provide other benefits for the organization. What are the Limitations of SD-WANs? Though SD-WAN brings many benefits, there are also key limitations. Extending the SD-WAN to the cloud requires installing an SD-WAN in or near the cloud provider’s data center, a complicated if not impossible task. Mobile users are entirely ignored by SD-WAN. And while traffic is encrypted, exposing branches to the Internet raises the threat of malware, phishing emails, and other attacks. Deploying security appliances at the branch means that continuing with the costs of purchasing, sizing, and maintenance associated with security appliances continues. Enterprises are still forced into upgrading appliances, and IT need to apply the full range of security functions, as traffic volumes grow. Finally, troubleshooting is also made more difficult as personnel has to jump between networking and security consoles to reach root cause. This is inefficient and can lead to errors and overlooked information about the problem at hand. What are SD-WAN Services? An SD-WAN managed service is a carrier- or service provider-based SD-WAN offering. It guarantees the organization a certain level of performance across its network. The carrier provides the transport and connects the enterprise to real and virtual technology at the carrier data center and perhaps in third-party clouds. SD-WAN managed services don’t answer the question of how to secure branch-based Internet access. They are simply a different business and management approach to the same technological infrastructure. How Do Cloud-based SD-WAN Services Address Those Challenges? The emerging option is to converge security and networking functions together into cloud-scale software. All Internet and WAN traffic is sent to and received from the provider’s point of presence (PoP) running the software. PoPs, in turn, communicate over their own backbone, avoiding the performance problems associated with the Internet core. This approach is known as SD-WAN as a service or SD-WAN 3.0. The important point is that the challenges of running both networking and security stacks at the branch office are alleviated. The SD-WAN devices in this case form from a “thin edge” with minimal processing. The main task that these devices perform is to assess packets to determine whether they should be sent to the Internet, to the MPLS links or elsewhere. With the core security and networking process done in the cloud, SD-WAN as a service can continue to inspect traffic at line rate regardless of the traffic volumes or enabled features. What Does Cato Offer Cato Networks firmly believes in the SD-WAN 3.0, cloud-based approach. The Cato Cloud offers a global backbone, provides secure connectivity to branch offices, mobile users, cloud data centers and other locations. To learn more about Cato Cloud, visit https://www.catonetworks.com/sd-wan/

The 4 Values of SD-WAN

The network perimeter has dissolved with IaaS, SaaS, and mobile users breaking that barrier and shifting more traffic to the Internet. MPLS was not designed... Read ›
The 4 Values of SD-WAN The network perimeter has dissolved with IaaS, SaaS, and mobile users breaking that barrier and shifting more traffic to the Internet. MPLS was not designed for this new reality. SD-WAN addresses the problem not only by reducing network costs but also by providing more value in four ways-security, traffic, access, and the cloud SD-WAN – Value in Security Organizations with multiple locations connected with site-to-site VPNs along with Internet access at each site can end up with a stack of appliances at each location that require regular maintenance. Appliance software must be regularly patched and upgraded with policy management controlled on an appliance basis. The appliance form factor including the cost of hardware, software, and expert staff to maintain it –  is a burden which SD-WAN eliminates with Firewall as a Service (FWaaS). This new type of next-generation firewall allows an entire organization to be connected to a single, logical global firewall with a unified application-aware security policy. Pet Lovers, a pet product retailer, was looking to improve security on their network of 93 stores. They connected and secured traffic between stores with an Internet-based, virtual private network (VPN). Point-of-sale (POS) traffic went across the IPsec VPN to firewalls in the company’s Singapore datacenter housing its POS servers. But other than the datacenter and four stores, none of the locations had firewalls to protect them against malware and other attacks. Protection was particularly important as employees accessed the Internet directly. By moving to the Cato Cloud, Pet Lovers was able to aggregate traffic from all stores, its datacenter, and any mobile users and cloud infrastructure into a common SD-WAN in the cloud. And since Cato Cloud includes FWaaS, their assets were secured – avoiding the costs of deploying and managing new and existing firewall appliances. SD-WAN – Value in Traffic Enterprises rely on MPLS because of its predictable performance is backed by an SLA. SD-WAN from Cato can provide better value by reducing bandwidth costs while still providing an SLA-backed backbone. Fisher & Co was spending $324k per year for a managed, secure MPLS service along with WAN optimization and was looking to reduce costs and improve manageability and uptime. The company decided to move to Cato’s SD-WAN service that integrates advanced security with an affordable global, SLA-backed backbone — the Cato Cloud. With Cato, they could retain control over the network and security infrastructure yet gain the agility and scaling benefits of a cloud service. The company’s annual spend dropped to $155k while maintaining and even improving its application delivery. Humphreys & Partners Architects, based in Dallas, experienced frustration with their MPLS network. Every time they moved, the carrier wanted a three-year contract and 90 days to get the circuit up and running. When Humphreys opened an office in Uruguay, they wanted to connect it to their MPLS service. The provider offered only a 1.5 Mbits/s MPLS connection for $1,500 a month, about the same price as their 50 Mbits/s MPLS connection in Dallas. They found a better value moving to Cato where bandwidth costs will reduce as they phase out MPLS, eventually eliminating MPLS because of Cato Cloud’s quality and predictability. SD-WAN – Value in Access When organizations build their networks from a mix of MPLS and Internet VPNs, such as the result of a merger and acquisition, a fully meshed network isn’t always possible. Resource access can be inconsistent resulting in a disappointing user experience. With Paysafe Group, user impact was precisely what drove the need for a better WAN. The main issue was primarily due to the lack of a fully meshed network; establishing a fully meshed Internet VPN would have necessitated 210 tunnels. Paysafe needed a single, fully meshed backbone, and neither MPLS nor Internet-based VPN was the answer. Looking towards SD-WAN vendors for possible solutions, this option did not provide infrastructure but only intelligent routing management. Paysafe didn’t want a routing management solution but wanted a core network with lower latency. Ultimately, Paysafe replaced its MPLS services and Internet-based VPN with a single, converged network from Cato. It natively optimizes the delivery of cloud applications and Paysafe Group found performance is much better than with Internet VPNs and on par with MPLS — at a fraction of the price. SD-WAN – Value in Cloud and Mobility Enterprises today know the value of cloud services but bringing those benefits to their agility. However, MPLS networks limit some of those advantages with backhauling users through the datacenter, in turn, decreasing performance. SD-WAN services like Cato Cloud provide a global, SLA-backed backbone that connects remote mobile workers and branch offices to corporate resources, such as cloud datacenters. With both users and datacenters connected to Cato, a single network is formed. Traffic from mobile users is sent across the optimized backbone directly to the cloud provider. Before migrating to Cato Cloud, the marketing firm AdRoll used VPN tunnels to their San Francisco office where all traffic was backhauled to reach the Internet and cloud, causing bottlenecks and stifling productivity with complex on-boarding procedures for users. Now with Cato, they have streamlined to a single network and traffic from mobile users is sent across the optimized backbone directly to AWS. They have also gained deeper insight into cloud usage and can see who’s connecting when and how much traffic is being sent. This improved visibility provides oversight and ties directly into the bigger security conversation. Value Means More Than Cost Savings Cato’s SD-WAN offers multiple avenues of savings. Beyond dollars and cents, it provides a secure global network and simplifies the network to eliminate deployment and security overhead with integrated security stacks and zero-touch provisioning. The added value of increased network visibility and improved user experience can be difficult to quantify but are just as important as the budget’s bottom line. Subscribe to Cato’s blog for more information on how SD-WAN can impact your enterprise’s network value.

Cato Revolutionizes SD-WAN with Identity-Aware Routing

Today, Cato introduced the first, identity-aware routing engine for SD-WAN. Identity awareness abstracts policy creation in Cato Cloud from the network and application architecture, enabling... Read ›
Cato Revolutionizes SD-WAN with Identity-Aware Routing Today, Cato introduced the first, identity-aware routing engine for SD-WAN. Identity awareness abstracts policy creation in Cato Cloud from the network and application architecture, enabling business-centric routing policies based on user identity and group affiliation. It headlines a series of SD-WAN enhancements we’re making today to Cato Cloud. You’ll be able to learn more about identity awareness and see those improvements in action in our upcoming webinar when director of product management, Eyal Webber-Zvik, and I demo Cato Cloud. Problems of Routing Enterprises have long sought to make networking easier — easier to configure, easier to deploy and easier to manage. Essential to that goal has been abstracting network policy definition to better mirror business context. Legacy networks route traffic based on IP address or subnet, information that bears little resemblance to the business. Policies are, in effect, machine-aware, treating a device’s application traffic the same even when network requirements vary greatly. While SD-WANs made application-aware routing a reality, we remain limited by their lack of granularity, unable to accurately reflect business context in our networks. Identity awareness transforms routing Identity-awareness completes the evolution of routing by steering and prioritizing traffic based on organizational entities — team, department, and individual users. Adding identity attributes to networking policies allows Cato to deliver: Business process QoS where prioritization is based not just on application type but the specific business process. Highest level of policy abstraction where route policy definition naturally extend routing policies to the user independent of their device or location — whether in the office or on the road. Policies are easier to define and fewer policies need be instantiated and maintained, simplifying network management. Business-centric network visibility allows detailed insight into the activity of all business entities — sites, groups, hosts, office users and mobile users. IT can quickly see how business entities use the network to help with network planning and scaling. With identity-aware routing, business-critical voice calls, such as from executive or sales, can be prioritized over other calls; file transfers, normally given low priority, can be prioritized when involving business-critical processes, such as financial transactions in a financial institution. Cato implements identity-aware routing seamlessly without changing the network infrastructure or the way users work. Microsoft Active Directory (AD) data is dynamically correlated across distributed AD repositories, and real-time AD login events to associate a unique identity with every packet flow. Organizational context, such as groups and business units, is derived from the AD hierarchy. Real-time Analytics and Other SD-WAN Enhancements In addition to identity awareness, Cato introduced or enhanced numerous Cato Cloud SD-WAN capabilities including: Multi-segment, policy-based routing dynamically selects the optimum path at each segment — the first mile, middle mile, and last mile. Segment-specific protocol acceleration technologies maximizes global throughput. Using the robust DPI engine underlying Cato Cloud, we’re able to detect and classify hundreds of SaaS and datacenter applications regardless of port, protocol, or evasive technique and without SSL inspection. Applications are routed based on real-time link quality or preferred transport. Real-time network analytics expands Cato robust reporting for advanced troubleshooting. IT managers can view jitter, packet loss, latency, packet discarded, throughput, and dropped indicators with graphs for both upstream and downstream traffic as well as the top hosts and applications for real-time and historical traffic. Mean opinion score (MOS) ratings provide real-time insight into the voice quality across Cato Cloud. Affordable and simple high availability (HA) deployment has been expanded to include more HA options. Cato Socket, Cato’s SD-WAN appliance,  supports a broader mix of active/active and active/passive failover configurations for MPLS and Internet connections. Cato’s Affordable HA carries no additional recurring charge and deployment is simple with zero-touch provisioning and needing just a private or public IP address. Intelligent last-mile resilience has been improved to include flow-by-flow packet duplication and fast packet recovery as part of Cato’s Multi-Segment Optimization. Last-mile congestion, a significant cause of packet loss, is also mitigated through advanced QoS support for upstream/downstream bandwidth. Cloud and WAN traffic optimization using Cato’s Multi-Segment Optimization reduces latency by routing traffic along the optimum path to the destination site (WAN traffic) or to the entrance of the cloud service (cloud traffic). A variety of TCP enhancements increase throughput when accessing cloud and WAN resources. “We founded Cato on the premise that IT needed a new kind of carrier, one where simplicity isn’t just a mission statement but part of the company’s DNA,” says Shlomo Kramer, co-founder and CEO of Cato Networks. “Identity awareness adds business context to our end-to-end, converged and secure MPLS alternative, making it easier and simpler for IT to align with today’s dynamic business requirements and deliver an optimal user experience, everywhere.” To learn more about identity-aware routing and see Cato’s new secure SD-WAN capabilities in action, click here to join our upcoming online demonstration of Cato Cloud.

A Technology Horror Story: The Day the Marketing Guy Joined the Hackathon

The fifth floor of the cafeteria at Cato’s Israeli office transformed last Thursday morning nearly two weeks ago into a celebration of innovation, coding, and... Read ›
A Technology Horror Story: The Day the Marketing Guy Joined the Hackathon The fifth floor of the cafeteria at Cato’s Israeli office transformed last Thursday morning nearly two weeks ago into a celebration of innovation, coding, and food. Our 2018 Hackathon was kicking off with a sumptuous breakfast buffet decorating the tables, and flags of the 10 project teams dotting the floor-to-ceiling windows that looked out onto southern Tel Aviv. Hackathons are usually meant for folks who know something about, well, hacking code. But the dynamic duo who conceived and ran the event -- Eyal, our director of product management, and Jordana, Cato’s human resources manager – poked, prodded, and dare I say implored, every employee to join the festivities -- and I do mean everyone. The call to sign up for Cato’s Hackathon wasn’t just limited those who could program in C but even employees who could spell with a C – all were encouraged to sign up.  Thankfully singing in C wasn't a requirement. Being the courageous marketer that I am, I answered that call, journeying from my comfortable 4th floor office up into the wild world of engineering and development. And as I stood there, munching my way through a quiche and mini-sandwich the great existential question that any marketing guy should ask himself at a Hackathon once again crossed my mind: Just what the heck was I doing here? Clearly, I wasn’t the only one. “Good to have you, Dave.” I turned and there was our CTO, Gur Shatz walking past. “I am curious to see how you’re going to contribute,” he said with a slight smile on his lips. Cato Cloud sits on an enormous data warehouse of networking and security information. One way to tap that information is through our recently announced Cato Threat Hunting System (CTHS), but there are millions — well, at least 10 — other ways. Some team were going to develop new kinds of security services, others focused on creating new tools, and still others looked at new kind of platforms for accessing the Cato Cloud. As an old-time networking hand and Marvel fan, I signed up to develop “Heimdall”, a new kind of tool for measuring end-to-end latency, with team Uselesses (don’t ask).   [caption id="attachment_5410" align="aligncenter" width="737"] Logos for the 10 teams that competed in the Cato Hackathon[/caption] Expecting to help the team code wasn’t realistic, that much I knew. The last time I programmed punch-cards were just leaving this world, and objects were something you touched. I could write world class functions in Fortran or Pascal, if you insist, but somehow, I didn’t think that was going to help very much. It’s not that I’m technically clueless, mind you. I have spent 20+ years studying, analyzing and evaluating networking technologies in very sick detail. Marketing people usually end-up calling me an engineer, which is kind of funny because engineers usually call me a marketing person. I guess that makes me something of a technical marketing mashup — hence my evangelism title. All of which meant I was geeky enough to be thrilled to create a better network measurement tool, but uncertain exactly how to help. If networking expertise, ideation, positioning, or pitching were needed by team Uselesses, I’d be the man. If not, coffee making was a possibility. Never having been at a Hackathon, though, it was hard to know which of those skills would be required. No Turning Back Yeah, I thought about bowing out gracefully. I slacked Eyal about how he saw us marketing types fitting in. “‘I will be mentoring and hosting. If you feel like contributing - you are seriously welcomed to do it anyway you can,” he Slacked back.  No daylight there. I checked with Vadim, the lead on team Useless, about if there were issues with me joining (hint, hint). “It’s fine,” he said, “Happy to have you with us.” No luck. So, I gave up and joined. After all, how bad could it be. I wasn’t going to be the only non-developer or engineer there, right? Nice try.  As it turns out, no other sales (sales engineering aside), marketing, or finance person joined in the festivities. Which brings us back to Gur. I smiled, mumbled something, and then went off to join Vadim, Koby and Dudi — DevOps team extraordinaire — to be tucked away in a small, glass-lined conference room with a view of the Mediterranean and 12 hours to build a cloud measurement powerhouse. [caption id="attachment_5411" align="aligncenter" width="720"] Team Cato gathers for our 2018 Hackathon[/caption] Building Heimdall When I got in the guys had already white-boarded what they were doing and had turned to their laptops to start building.  “We’ve already built a skeleton on AWS to hold our code,” explained Koby. “Skeleton. Is that like an outline?” I asked. Clearly, I was out of my element.  But I was here for the next 10 hours and there were just so many jokes I could crack and times I could offer to get folks coffee. The guys had spent time thinking about Heimdall and I needed to catch up. Like any good marketing guy, I started questions.  “Why are we building this tool?” “It’s going to help prospects determine their end-to-end latency with Cato,” replied Vadim. “Can’t we do that today by having them ping our PoPs?” “We can, but you need to know which PoPs to ping and that’s not always obvious.” The software in Cato Sockets, our SD-WAN appliances, automatically identifies and connects to the optimum PoP. But obviously enterprises evaluating Cato didn’t have that software and the optimum PoP wasn’t always obvious. A myriad of factors, such as Internet routing and the way underseas cables run, meant that the physically closest PoP may not be the one with the least latency. With more than 40 PoPs today around the globe, the question comes up pretty frequently — a problem with having the world’s largest independent backbone. We had other ways of determining end-to-end latency before the Hackathon, of course, which made me even more curious as to why we were building Heimdall. I asked, and kept on asking questions, and after about 20 minutes of being my annoying self — and Vadim, Koby, and Dudi being patient with me — we pulled out all the ways this little project was going to change Cato, networking, and the fate of humanity. As the day progressed, team Uselesses started flushing out the features of Heimdall. Originally, we were tasked with identifying last-mile latency, but Dave, the Networking Nerd, knew that last-mile latency is small fraction of overall latency on global connections. Last-mile packet loss and jitter, on the other hand, are very important. I suggested we include those metrics in the product. Metrics are nice, but without context they mean little. Dave suggested we find a way to add context and out of that conversation, came the results for optimum and direct paths across Cato Cloud – not necessarily the same thing. We also agreed to include end-to-end Internet measurements, but that would take a bit more time than we had at the Hackathon. The conversation turned to exactly how to represent the data. We all had ideas, I had many. Dudi, our guy with the most front-end experience, was, shall we say, just a tad busy working with Koby on connecting the core components of Heimdall. Eventually he asked me to mock something up and that’s how the Marketing Guy became the UI Guy. [caption id="attachment_5413" align="aligncenter" width="866"] The opening interface to Heimdall[/caption] And so, the day went on. Drinks were served. Jokes were made. We each contributed our part of Heimdall. Koby and Dudi got the components connected. Vadim finished up on the network measurements and Dave? He mocked up the UI and finished the PowerPoint. Time To Pitch Time was up, and we filed in at 10:30pm to share our very cool sh*t. Team after team went up showing off what they had developed. Query tools that hadn’t existed a day before were suddenly workable. Deep analytics made simple by new kinds of visuals shown on the screen. Hardware platforms non-existent before we started were operational. Frankly, I was amazed at what could be created in such a brief period of time. Eventually, our time came, and yours truly got up to do his marketing best. This was far more than a tool for measuring latency, I explained. This tool was going to shorten sales cycle, generate new leads, and improve Cato operations. We killed it on the PowerPoint — no bullets, axed the 10-point type, and nailed the bottom-line benefits for Cato.  And by far the most brilliant thing I said was… “Now let me hand it over to the real brains behind this project — Vadim, Dudi, and Koby — who’ll demo this tool.” Vadim did the heavy lifting (like pressing a button on keyboard) and voila! Our tool identified the best PoP for both source and destination addresses. [caption id="attachment_5417" align="aligncenter" width="804"] Best PoP identified for both source and destination.The tagline on the bottom does NOT reflect a new kind of technology team.[/caption] Scrolling up, we also showed that Heimdall identified the end-to-end statistics for direct and optimized paths across the Cato Cloud. [caption id="attachment_5416" align="aligncenter" width="297"] Projected end-to-end statistics for direct and optimized connections.Actual results may improve once we apply our optimization algorithms.[/caption] In the end, the marketing guy did help the team Uselesses. Besides clarifying networking concepts for some of my more software-oriented compatriots, my efforts led to us tracking several metrics I think any networking-minded pro would want to know. I identified what we should show and developed the interface for how we’d show it with enough clarity that a UX person could ultimately make it presentable. And, of course, I drew out Heimdall’s applicability to the rest of Cato that led to final pitch, and the presentation. And The Winner Is The teams finished up and the judges retreated for deliberations. Meanwhile, Eyal treated us to hysterical music videos of us from JibJab. After 30 minutes or so, the judges filed back in. “For second place, we picked Heimdall from team Uselesses,” said Ofir Agassi, our director of product marketing, “The project was well implemented, and we liked Heimdall’s ‘broad applicability’ to all aspect of Cato.” Ca-chang. Our core message gets cited as the reason for the award. Not bad. And who said marketers can’t contribute to a Hackathon? Yes, good marketing can make all the difference, but lest any marketers reading this piece (myself included) get too full of themselves, remember this: the team that took first prize had great a security researcher, solid developers —- and not a single marketing soul around. [caption id="attachment_5415" align="aligncenter" width="470"] The winning team with Ofir (far left), Shlomo (far right), and Aviram, sneaking in from behind.[/caption] The post originally appeared in part on Network World  at: https://www.networkworld.com/article/3284511/lan-wan/a-technology-horror-story-the-day-the-marketing-guy-joined-the-hackathon.html

Top 11 Women in Enterprise Networking

Identifying female role models in the technology sector is important for so many reasons, the most important being that female representation in IT is severely... Read ›
Top 11 Women in Enterprise Networking Identifying female role models in the technology sector is important for so many reasons, the most important being that female representation in IT is severely lacking. A 2017 survey by ISACA “The Future Tech Workforce: Breaking Gender Barriers” found that 87% of respondents were concerned about the low numbers of women in the technology sector; the survey documents that men outnumber women in the industry across all levels. The tech sector, however, has certainly had outstanding female leaders - pioneers in technology largely forgotten - including Ada Lovelace, a very early computer programmer who lived from 1812-1852, and Joan Clarke, a mathematician from the early twentieth century who worked alongside Alan Turing. Indeed, today, there are notable female leaders in enterprise networking opening up the sector to others and serving as examples of leaders in the industry. Here is our top pick of 11 women in enterprise networking today. Padmasree Warrior (@Padmasree) Padmasree has had an illustrious career working with Motorola for 23 years before becoming the first-ever CTO of Cisco. She has since become CEO for smart car industry leaders NIO. Forbes named Warrior as one of the “The World’s 100 Most Powerful Women.” Padmasree is a regular conference speaker and recently spoke at RSA. You can watch her keynote speech on “Women of Vision”. Denise Fishburne (@DeniseFishburne) Denise Fishburne, also known as “Fish” works as a solution architect at Cisco’s PoV Services and is a keen troubleshooter. In her blog, “Networking with Fish” she writes about IWAN and security and has networking videos with networking “how-to’s” and troubleshooting tips. Michele Chubirka (@MrsYisWhy) Michele, also known as “Mrs. Y” is a security architect, analyst, and researcher. She has expertise in SDN, virtualization, microservices, and cloud. Michele has been an author and broadcaster on enterprise networking podcast network, Packet Pushers. She writes regular blog posts for her blog Post Modern Security about security and enterprise networking. Her latest blog Five Stages of Cloud Grief is well worth a read. Stage three of cloud grief is, “Anger – IT staff shows up at all-hands meeting with torches and pitchforks demanding the CIO’s blood and demanding to know if there will be layoffs.” Lori MacVittie (@lmacvittie) Lori used to write for Network Computing Magazine but now works as a “Technical Evangelist” at F5 Networks. She has had a glittering career as a systems engineer, writer, analyst, and lately, technology evangelist. Recognized as one of the top 50 Most Prominent Cloud Bloggers, she has published articles on network architecture and security, etc at DevOps.com. Lori’s areas of expertise include application and network architectures, and she is currently on the advisory board member of CloudNow, a not-for-profit think tank for women in Cloud computing. Melissa Di Donato (@mdidonato1) Melissa is currently Chief Revenue Officer at SAP and previously was Vice President at Salesforce.com in the Wave Analytics Cloud division. She plays a strong role in promoting STEM initiatives to girls and mentoring women in business. In a recent tweet, Melissa reminds us that, “empowering women is empowering business.” Melissa is a regular speaker at conferences such as “Cloud and DevOps World.” Melissa will be speaking at London Tech Week next month. Naomi Climer (@naomiclimer) Naomi Climer is a software engineer who served as president of Sony's Media Cloud Services start-up business in 2012, and became the first female president of the Institution of Engineering and Technology in 2015 and was awarded the first "Broadcast and Media Technology Industry Woman of the Year" in 2015. Naomi is currently Chair of the UK Government’s “Future Communications Challenge Group” which is exploring the challenges of 5G networks. Danielle Haugedal-Wilson (https://www.linkedin.com/in/mrsdhw/ ) Danielle works for UK retailer the Co-Op as the Head of Business Architecture and Analysis. Next month she will be speaking in London at Cloud and DevOps World on “Moving To And Being Part Of The Cloud.” Danielle works with girls and women to champion the placement of women in technology. Lisa Pierce (https://www.linkedin.com/in/lisampierce/) Lisa Pierce is Managing Vice President at Gartner where she leads the Enterprise Network Systems and Services Research team. Her expertise is in network-related infrastructure, including, SD-WAN, IaaS, and PaaS. Lisa is a regular speaker at shows, and recently gave a talk on “Gartner Perspective on SD WAN: Enterprise Benefits and Challenges” at the February 2018 SD-WAN Expo. Jezzibell Gilmore (https://www.linkedin.com/in/jezzibell-gilmore-78676126/) Jezzibell is an entrepreneur who works in the enterprise networking space. She is currently Senior Vice President of Business Development & Co-Founder of enterprise networking company, PacketFabric. Jezzibell recently spoke at WAN Summit New York 2018 on a panel called Delivering the Cloud: CSP Connection Models, Security, and Performance. Yulia Duryea (@YuliaDuryea) Yulia is Director of Product Management at Windstream Enterprise where she manages the SD-WAN portfolio. She has blogged on various aspects of SD-WAN including a recent one on the use of SD-WAN to support financial operations. Yulia also served on a panel entitled The Underlay Network – Selecting and Sourcing Local Access and Broadband at the WAN Summit in New York. Donna Johnson (@drdesler) Donna Johnson has completed her role as Director of Product Marketing for NetScaler SD-WAN at Citrix and is joining CradlePoint, a 4G LTE network solutions provider. Donna gives regular talks at enterprise networking events and also has taken part in a number of informative Citrix webinars. This included a recent Citrix joint webinar looking at how an SD-WAN architecture has evolved to meet secure Multi-Cloud requirements “From SD-WAN to secure Multi-Cloud.” To the Future In the U.S. alone, the computer and information technology occupations are expected to grow 13% between 2016 and 2026. The tech jobs gender gap is growing too; women will need to continue to be encouraged to enter technology and networking, and then to serve as mentors to the next generation of leaders in the industry.

The Evolution of SD-WAN

The cloud has become an inseparable part of the IT enterprise as more applications make the transition to the cloud. Adaptations in WAN infrastructure that... Read ›
The Evolution of SD-WAN The cloud has become an inseparable part of the IT enterprise as more applications make the transition to the cloud. Adaptations in WAN infrastructure that arise are necessary to meet the new and shifting IT landscape. Initially, SD-WAN was driven by the need for cost-saving since WAN infrastructure, MPLS, in particular, can be quite expensive. Today, it’s not just cost savings that are driving enterprises to SD-WAN. Enterprises have changed how they work, with features such as cloud, SaaS, mobile workers, and IT requirements to roll out new sites in days rather than weeks while reducing costs at the same time. SD-WAN has become more than just a network for connecting locations. The rise of cloud, mobile, and business agility demands has required SD-WAN to become smarter by providing security, optimization, intelligence, and better reach. These changes in SD-WAN can be broken down into three phases, reflecting the ways that SD-WAN technologies have adapted over time to the demands of business requirements. SD-WAN 1.0 Hungry for Bandwidth In addition to cost savings, one of the initial problems with WAN infrastructure that IT leaders were looking to solve was last mile bandwidth and availability. A workaround enterprises have used to improve site availability, is pairing an MPLS connection with backup Internet connections. However, typically those backup connections are only used in the event of an outage. The predecessor to SD-WAN provided some improvements with link-bonding, which combines multiple Internet services with diverse technologies, such as xDSL and 4G from different providers. This technology operated at the link layer and improved last-mile bandwidth. These improvements were limited to the last-mile and did not create benefits for the middle-mile. Although the network was not yet virtualized at this stage, the idea was laying the groundwork for SD-WAN and proving to be a solution to the changing needs of enterprise networks. SD-WAN 2.0 The Rise of SD-WAN Startups Link bonding only addressed availability of the last mile. For true improvement in WAN performance, routing awareness needs to take place anywhere along the path, not just the last mile. Advanced features beyond link bonding were needed to address current needs. As these new advancements in SD-WAN were being developed, many startups soon appeared on the scene. Competition breeds innovation, and this phase introduced new features such as virtualization failover/failback capabilities, and application-aware routing. These features were driven by the need for improved performance and agility on the WAN. SD-WAN improves agility of the WAN by avoiding the installation and provisioning delays of MPLS and fills the need for bandwidth on demand. Virtualization allows network administrators the ability to manage the paths or the services underneath from a single control panel to configure optimization features. Optimization of SD-WAN provides application performance that previously required the SLA-backed connections of MPLS. Using application-aware routing and dynamic link assessment, SD-WAN improves WAN performance by selecting the optimum connection per application. SD-WAN met the challenge to deliver the right performance and uptime characteristics needed to provide applications to users. SD-WAN 3.0 Reaching Out SD-WAN evolved beyond connecting branch offices — expanding the reach to all enterprise resources to create a seamless network experience. This is a major shift in networking capabilities to create a unified infrastructure for cloud, mobility, and “as-a-service” technologies. SD-WAN provides encrypted Internet tunnels for traffic traversing the WAN. SD-WAN as-a-service can provide a full enterprise-grade, network security stack built directly into its global SD-WAN backbone to protect all location types, including mobile users. A Roadmap to WAN Transformation Not all SD-WAN solutions on the market today address all three aspects of WAN transformation. Cato Networks integrates these WAN transformation attributes into one solution and presents a fundamental change in how we think about SD-WAN. By simplifying what can be a complex environment, Cato’s SD-WAN as-a-service helps organizations achieve full visibility into their network, route applications for optimum performance, and provides security for the entire WAN, including mobile and cloud users. With Cato Cloud, WAN transformation is a full roadmap for streamlining the networking and security infrastructure of the organization to provide application delivery performance requirements now and as future needs arise. Find out more about how Cato Networks’ advanced SD-WAN solution can transform your WAN to meet current needs by subscribing to the Cato blog.

Top SD-WAN Events to Attend in 2018 and 2019

Software Defined Wide Area Networking (SD-WAN) has become a runaway success across all industry sectors. Analysts at IDC have estimated the SD-WAN gold rush will... Read ›
Top SD-WAN Events to Attend in 2018 and 2019 Software Defined Wide Area Networking (SD-WAN) has become a runaway success across all industry sectors. Analysts at IDC have estimated the SD-WAN gold rush will increase with a compounded annual growth rate (CAGR) of almost 70 percent by 2021. Rapid adoption of a new methodology comes about for one reason — it works. As a result,  SD-WAN-focused events and networking conferences with SD-WAN agenda items are happening across the globe. There are quite a few to choose from so we’ve put together a list of the more important ones you should attend in 2018. SD-WAN Summit When: 26-28 September Where: Paris It is only in its second year, but already the SD-WAN Summit is one of the biggest and best SD-WAN shows to attend in 2018. This year’s show is still being organized, but some examples from last year’s event demonstrate the richness of discussion and presentations. Talks such as “Defining Key SD-WAN Design Requirements” give practitioners invaluable expert advice on using SD-WAN in their own organization. 2017 talks were from experts such as: Mike Fratto of GlobalData who analyzes the market and use cases around SD-WAN and; Claudio Scola is the Director of Product Management at Tata Communications. SDN NFV World Congress When: 8-12 October Where: The Hague, Netherlands This conference is all about innovation in the world of carrier networking. As such, the conference offers tracks covering all areas of SD-WAN from a both business and technical standpoint. SDN NFV World Congress speakers and agenda is still being firmed up, but an example of a useful track form last year is now on YouTube “How SD-WAN impacts the enablement of NFV”. Speakers from last year’s conference included: Nathalie Amann, SDN NFV Program leader at Orange Marco Murgia, Chief Architect, Citrix (responsible for SD-WAN architecture) WAN Summit London When: 17-18 October Where: London, UK Like its sister show in New York, this conference focuses on everything that is WAN, including SD-WAN. The show brings WAN experts together to share their insights on the development of SD-WAN networks and how enterprises are adapting WAN technology for cloud-based applications. While the 2018 agenda is being developed, check out some of last year's speakers, including: Marcel Koenig, Principal ICT Technology & Sourcing, Ancoma Network Simon Lawrence, Group Manager, NS, EUS, EMEA Network Engineering, Bny Mellon (specialising in SD-WAN) Gartner IT Infrastructure, Operations & Data Center Summit When: 26-27 November Where: London, UK Analyst firm, Gartner, is the host for this general networking event, which drills down into technology used across modern network infrastructures. The Gartner IT Infrastructure, Operations & Data Center Summit covers everything from Cloud to IT Operations to emerging technology like SD-WAN. The conference is a mix of analyst speakers who specialize in infrastructure technology and an expo showcasing a variety of infrastructure tech vendors. Speakers from last year’s conference included: Admiral James Stavridis, U.S. Navy (Retired)r, who spoke on “The New Realities of 21st Century Security” Brian Lowans, who specializes in data encryption and cloud data security.    Metro Connect USA When: 29-31 January 2019 Where: Miami, FL This is an industry specific event for the telecommunications and fiber industry but has a focus on optimizing networking. Industry experts and hands-on practitioners talk about everything from current use cases to emerging trends in the world of networking. An interesting panel discussion to catch is “Understanding How SD-WAN Is Changing The Next Generation Of Metro Networks”. Speakers to check out include: Nitin Rao, VP - Infrastructure, CloudFlare Frank Rey, Director, Global Network Acquisition, Microsoft We hope this run-down of the best shows in the networking world gives you food for thought. SD-WAN is being adopted across industries. Keeping up with new use cases and models of operation is an important part of the role of the networking professional. Hopefully the events in 2018 will help you on the road to an optimized future. SD-WAN Expo When: 28-1 Feb 2019 Where: Fort Lauderdale, FL SD-WAN Expo is a perfect meld of business and technical to allow you to find a fit for SD-WAN in your organization. The Expo is designed to allow fluid networking and most importantly, learning opportunities. The show has both a practical side as well as a future view. It is all about using the “industry to inform industry” and explore the true capabilities of SD-WAN. Interesting and useful talks to check out in this year’s conference include, “SD-WAN: Analyst Perspective” where you can get an insider view of what’s out there and where SD-WAN is going. Also check out “SDN and SD-WAN: What They Mean to Each Other to get a real handle on the capabilities of SD-WAN. 2018 talks were from these experts: Eric Herzog CMO, Worldwide Storage Channels, IBM John Burke, Principal Research Analyst & CIO, Nemertes Research

Ensuring High Uptime with SD-WAN

Branch offices come in many sizes and purposes – from small to large, and from critical functions to a simple home office. The enterprise needs... Read ›
Ensuring High Uptime with SD-WAN Branch offices come in many sizes and purposes - from small to large, and from critical functions to a simple home office. The enterprise needs a network that can adapt, offering availability levels to meet each type of office requirements. What are your options? MPLS networks have been the backbone of enterprise networks for years. Although MPLS circuits are considerably more expensive than general Internet circuits, businesses have relied on MPLS networks for their dependability. MPLS networks are known and relied upon for high uptime, with a target of “five-nines” (99.999%) uptime. Service level agreements (SLAs) guarantee latency, packet delivery, and availability. With an outage, the MPLS provider resolves the issue within a stated period or pays the requisite penalties. Software-defined wide area networking (SD-WAN) is making organizations rethink their WAN infrastructure. Instead of connecting a location with one highly-available MPLS connection, SD-WAN can connect a location with multiple, less-reliable broadband Internet connections, selecting the optimum connection per application. Ultimately, the goal is to deliver just the right performance and uptime characteristics by taking advantage of the inexpensive public Internet. Reliability at a Price MPLS services remain significantly more expensive than Internet services. At customer premise-based data centers, traditional Internet connectivity might offer a 2x – 4x price/bit benefit over MPLS, while at colocation facilities, the price/bit benefits are typically in the 10x – 50x range. Adding MPLS bandwidth is a lengthy, costly process, requiring configuration changes, and additional hardware taking anywhere between 3-6 months. Waiting on critical additional MPLS bandwidth results in project delays and lost revenue. Because of the high costs, redundancy is often too expensive, leaving companies to connect locations with a single circuit. Internet backup may be used but that adds complexity to the network. MPLS networks are not infallible, and outages do occur from events such as accidental cable cuts. Another factor affecting performance and uptime in an MPLS network, the last mile, may involve more than one carrier to create the network. The carrier who delivers the last mile varies by location and may not be the carrier providing the MPLS service. Oftentimes, SLAs are limited to the backbone and not the last mile where outages are likely to occur. Performance and uptime could be unpredictable if the last mile carrier does not meet the expectations of the MPLS carrier. SD-WAN High Uptime Strategies SD-WAN created more flexibility and the ability to overcome the high bandwidth costs of MPLS services by integrating Internet transports (such as cable, DSL, fiber, and 4G) into the WAN and forming a virtual overlay across all transports. With features like load balancing and measuring the real-time transport quality of each circuit, SD-WAN provides the high uptime businesses demand by using a mix of Internet connections. Connecting an MPLS service with an individual line means possible line failures from cable cuts, router misconfigurations, and other cabling infrastructures. With SD-WAN, active/active load balancing configuration protects against such failures by using redundant active lines to connect locations to the SD-WAN. When one line fails, traffic fails over to the alternate connection. The equation for calculating network availability of a location using SD-WAN with multiple circuits shows that the combined availability of multiple circuits in parallel is always higher than the availability of its individual circuit; SD-WAN can compete with MPLS in high availability requirements.   Site Availability = 1-((1-Service A Availability)*(1-Service B Availability)*(1-Service N     Availability)) Network availability and downtime for individual consumer grade 99% availability circuits and the parallel combinations: Component Availability Downtime X 99.0% (2-nines) 5256 min/year (7.3 hours/mo) Two X circuits operating in parallel 99.99% (4-nines) 52.6 min/year (4.4 minutes/mo) Three X circuits operating in parallel 99.9999% (6-nines) 0.526 min/year (2.6 seconds/mo) Four X circuits operating in parallel 99.999999% (8-nines) 0.00526 min/year (0.026 seconds/mo)   By adding circuits in a load balanced configuration with redundant components for high availability, uptime is increased with each additional circuit. With this method, it's possible to reach five 9s with services that individually offer less than five 9s uptime. Adding LTE or cellular access at a location eliminates the risk of a line cut by the local loop, or last mile provider, enhancing availability with increased fault-tolerance. Being able to mix and match circuit types and quantity allows each branch office to meet the availability requirements determined by the organization. Some examples of connectivity an organization may choose to meet requirements without overspending:   Critical branch - Redundant fiber with local SLA Regional branch - A mix of DIA and broadband Small branch - Redundant broadband   Organizations rely on MPLS for consistent response time for real-time applications such as voice and video. To provide a similar level of consistency, SD-WAN networks automatically detect blackouts and brownouts. When latency and packet loss increases, it can failover active sessions to use a better performing circuit. Look for an SD-WAN solution that provides Fast Session Failover that occurs quickly – in the 100-200ms range. Real-time traffic like voice and video will lose their sessions or experience jitter and delay if the failover takes too long. Cato Networks SD-WAN includes technology like global, affordable, SLA-backed backbone with over 30 PoPs worldwide fully meshed over multiple tier-1 IP transit providers. Strategies like active/active failover, Application QoS, Policy-Based Routing (PBR), and Forward Error Correction (FEC), give SD-WAN from Cato Networks the high uptime organizations need. Subscribe to Cato’s blog for the latest topics related to SD-WAN.  

What You Don’t Need from an SD-WAN Vendor

IT organizations are becoming increasingly aware of the benefits of software-defined wide area networking (SD-WAN). According to a July 2017 report from market-research firm IDC,... Read ›
What You Don’t Need from an SD-WAN Vendor IT organizations are becoming increasingly aware of the benefits of software-defined wide area networking (SD-WAN). According to a July 2017 report from market-research firm IDC, SD-WAN adoption is seeing “remarkable growth” as companies look to streamline their WAN infrastructure and move toward more cloud-based applications. The IDC report estimates that worldwide SD-WAN infrastructure and services revenues will see a compound annual growth rate (CAGR) of 69.6% and reach $8.05 billion in 2021. IDC has determined much of the growth in SD-WAN adoption is from companies looking for ways to reduce the number of physical devices required to support applications as well as lower the cost of maintaining technology deployed in remote locations. With multiple vendors entering the SD-WAN market offering a myriad of features and choices, organizations need to sift through the options to determine what features are really necessary. What You Don't Need Security is a vital piece of WAN infrastructure that must be addressed. Most SD-WAN vendors provide basic security features such as encryption, layer 2 access control, and possibly some basic firewall functionality. But those basic features are not enough, so SD-WAN vendors have developed security partnerships. By using service insertion or service chaining, separate security services such as firewalls and IPS are inserted into the data flow. This provides the additional security needed, but also creates extra complexity, cost, and administration of these external devices. Preferably, look for a solution with full security integrated into the SD-WAN. One of the advanced features of SD-WAN can measure the real-time transport quality (latency and packet loss) and use Policy-Based Routing (PBR) to route application-specific traffic over the most appropriate transport. Applications are grouped into classes, such as voice/video, business-critical, or best effort. When it comes to this feature, what you don’t need are dozens of these classes. Generally around 3-5 is enough. Deploying a new site for SD-WAN requires an SD-WAN gateway be deployed on-site. When deciding between deploying a physical appliance or virtual appliance, a physical appliance is preferred and most commonly used for connecting offices. Virtual appliances require something to be deployed, managed, and scaled (just like a physical appliance), however its performance is subject to the underlying hardware. Where physical hardware cannot be deployed, such as connecting the cloud, agentless deployment is best. What You Should Focus on Instead There are four main features you’ll want to look for in an SD-WAN solution. SD WAN Provider Has Its Own Backbone A provider with their own backbone presents several advantages for the customer. Unlike unmanaged Internet connections, a provider-owned backbone provides an MPLS-like SLA-backed latency but at an affordable cost. Ideally, this backbone should be comprised of multiple tier-1 carriers with multi-gigabit links. Security Converged into the SD-WAN Rather than having the burden of managing separate physical or virtual security devices in multiple locations, an SD-WAN vendor that offers converged security can provide a solution that enforces a comprehensive security policy on both WAN and Internet-bound traffic, for all users in both fixed locations and mobile. An integrated solution provides full visibility of traffic, a unified security policy, and a simplified life-cycle management. Network Optimization A WAN connection consists of the last mile, which is between the edge site and the local ISP, and the middle mile, which connects the two last miles. Traditional SD-WAN appliances, if they perform WAN optimization, treat all segments the same. To get the most benefit, a vendor should treat the segment types differently, by applying optimization techniques according to characteristics of the last and middle miles. Some last mile optimizations to look for are packet loss compensation, enhanced link capacity and resiliency, latency mitigation and throughput maximization, and application QoS. Middle mile optimizations should include SLA-backed transports, dynamic path selection, and optimal global routing. In addition, cloud traffic can be optimized with shared Internet Exchange Points (IXPs). SD-WAN vendors that co-locate PoPs in data centers directly connected to the IXPs of the leading IaaS providers such as Amazon AWS, Microsoft Azure, and Google Cloud can optimize traffic via the shortest and fastest path. Cloud Deployments and Mobile Workers Migrating parts of a data center to the cloud can fragment access controls and security policies. This separation complicates policy management and limits overall visibility. Securing and optimizing mobile user traffic is an additional challenge. An SD-WAN vendor that can provide a global backbone connecting all physical locations, cloud, and mobile workers can optimize routing and reduce latency to key applications like Office 365, and enforce application-aware security policies on all access. Customers can seamlessly extend corporate access control and security policies to cloud resources, enabling easy and optimized access for mobile users and branch locations to all applications and data anywhere. Bottom Line If you’re not using SD-WAN yet, according to industry growth estimates, you are likely going to be using it in the future. An SD-WAN provider such as Cato Networks can provide a solution to meet the needs of global organizations who rely on data and applications in the cloud and are driven by a mobile workforce. To learn more, subscribe to Cato Network’s blog.

Cato Adds Threat Hunting Capabilities to Cato Cloud

Last week, we announced new security capabilities as part of our advanced security services. Cato Threat Hunting System (CTHS) is a set of algorithms and... Read ›
Cato Adds Threat Hunting Capabilities to Cato Cloud Last week, we announced new security capabilities as part of our advanced security services. Cato Threat Hunting System (CTHS) is a set of algorithms and procedures developed by Cato Research Labs that dramatically reduces the time to detect threats across enterprise networks. CTHS is not only incredibly accurate but also requires no additional infrastructure on a customer’s network.  BATTLING COMPLEXITY, OPENING ACCESS It’s no secret that despite their investment in perimeter security, enterprises continue to battle malware infections. According to Gartner, “Midsize enterprises (MSEs) are being targeted with the highest rate of malware in email traffic, representing one in 95 emails received.  Worse yet, 80% of breaches go undetected. The median attack dwell time from compromise to discovery is 101 days.”* Traditional threat hunting attempts to reduce malware dwell time by proactively looking for network threats using end-point and network detection, third-party event logs, SIEM platforms, managed detection and response services, and other tools. These approaches require deploying dedicated collection infrastructure whether on endpoints or the network and the application of specialized human expertise. Endpoints sensors invariably miss IoT devices, which can’t run agents, personal mobile devices, and other network devices. They also make deployment more complicated as sensor operation is frequently impacted by updates to endpoint software, such as operating systems and anti-virus software. At the same time, network sensors often lack the necessary visibility. Network address translation (NAT), firewalls, as well as the widespread use of encryption often obscure the visibility of network sensors. And the collected log data passed to the SIEM run by security analysts lacks sufficient context to hunt threats. The security tools generating the event logs necessarily omit details irrelevant to their operation but very relevant to finding threats. URL or Web filterers, for example, will indicate if there’s been an attempt to access a “bad URL” but fail to provide the additional flow information to determine if the cause is a live infection or simply a user’s bad browsing habits. DEEPER DATASET AND MORE CONTEXT By leveraging Cato Cloud, CTHS addresses the deployment challenges, data quality, and lack of context limiting threat hunting systems. As the corporate network connecting all sites, cloud resources, and mobile users to one another and the public Internet, Cato Cloud already has visibility into all site-to-site and Internet traffic. CTHS uses this rich dataset; no additional data collection infrastructure is necessary. Working with actual network traffic data, not logs, provides CTHS with the full context for every IP address, session, and flow. SSL traffic can be decrypted in real-time to deepen that dataset. Multidimensional, machine-learning algorithms developed by Cato Research Labs continuously hunts that massive data warehouse for threats across Cato customers. One dimension evaluated is that of the clients generating flows. Instead of categorizing the flow source by a domain or IP address, CTHS identifies the type of application generating the flow. A browser window accessed by a user over a keyboard is very different than a browser that communicates with the Internet without a window presented to the user. The nature of the client application is a high-quality indicator of malware activity. Another dimension is the destination or target. Typically, threat detection systems in part rely on third-party reputation services to identify C&C servers and other malicious targets. But attackers can game reputation service, potentially masking malicious targets. Instead, Cato Research Labs developed a “popularity” indicator that's immune to such tactics. Popularity is calculated by the frequency access to a domain across all of Cato customers. Low-frequency access is a risk factor that can be validated against other dimensions. Moreover, machine learning algorithms are applied to detect auto-generated domain names — another risk factor pertaining to the target. The third dimension is time. Malware shows specific network characteristics over time, such as periodically communicating with a C&C server. Usually, security tools are unable to spot these trends as they only look for events at specific points in time. CTHS, however, looks across time to identify network activity that might indicate a threat. By putting those three contexts together — source, target and time — CTHS can spot communications likely to indicate a threat. Cato’s world-class Security Operations Center (SOC) then validates events flagged by CTHS. Because of the multi-dimensional analysis, a considerable number of events and indicators can be reduced to a small number of events that require human verification. If a threat is verified, the Cato SOC team notifies the customer and uses the CTHS output to harden Cato’s prevention layers to detect and stop future malicious activities for all Cato customers. By learning from all customer traffic, Cato can spot and protect against threats far faster and more efficiently than any one enterprise. EASY, AFFORDABLE THREAT PROTECTION WITH CATO   Cato Threat Hunting System is a natural extension of Cato Cloud security services that requires no additional hardware to bring threat protection to locations, mobile users, and cloud resources. To learn more about CTHS, visit us at InfoSec London, stand H60. Elad Menahem, head of security research, and Avidan Avraham, security researcher, will be presenting details of CTHS in their InfoSec Tech Talk entitled “Improved C&C Traffic Detection Using Multidimensional Model and Network Timeline Analysis,” on Wednesday, 6th June, at 16:00 – 16:25. Can’t make it there? You can learn more about our advanced threat protection services or drop us a line for specific information about how CTHS here. *Gartner, Inc. “Midsize Enterprise Playlist: Security Actions That Scale,” Neil Wynne and James A. Browning, May 2018 (login required)  

It’s Time To Break Down The Access Silos

IT departments love their silos.  Servers operations, virtualization, app development, networking and others live in silos. However, there’s another layer of silos within those that... Read ›
It’s Time To Break Down The Access Silos IT departments love their silos.  Servers operations, virtualization, app development, networking and others live in silos. However, there’s another layer of silos within those that great more granular ones.  For example, in networking, when it comes to access, companies tend to manage the various methods of access independently. This has given rise to businesses building strategies and buying products specifically to address in office access, remote access, home access and a bunch of other types. Isn’t time we stopped thinking about access silos and just considered “access” as one problem, regardless of where the user is located?  That would certainly simplify user experience as workers would no longer be burdened being the integration point for all these various technologies. In his era, where consumer vendors compete on ease of use, users hate complexity and accessing corporate resources has become an overly complex task.   Don’t get me wrong, IT organizations and network vendors aren’t doing this on purpose.  The problem lies in the fact that access has evolved and new solutions were designed as a way of enabling people to work from these new locations without thought to what existed before.  50 years ago, if the technology industry could have foreseen what the world was like today, we may not have the quagmire of stuff that we do. But alas, that isn’t the case and we’ve layered on access technology after access technology to enable people to work where and when they need to. The problem with the piece part approach is that it creates inconsistencies for workers.  Either the business allows everyone to access everything from everywhere or manage access policies one system at a time.  The problem with the former is that it has some significant implications to security and compliance and the latter methodology is a nightmare to manage.  So, what’s a network manager to do? VPNs are one possibility but they are a headache to set up and manage and don’t always work.  Many hotels, airports and other public locations block VPN access causing access problems. Also, VPNs make sense when accessing internal resources but gets in the way of accessing cloud services.  Given businesses are shifting more apps to the cloud, it may be time to ditch VPNs. It’s time to rethink access and that requires changing the way we think about it.  Instead of thinking about access being a problem to be solved on location by location basis, think of solving access through the lens of the user and that requires creating a single access method and policy so the user no longer has to be the middleware. Doing this with traditional on-premises infrastructure might be possible but requires a massive overlay to be built and maintained.  A better approach is to leverage a cloud service. In this case, the worker would connect into the cloud, via a secure connection, and the cloud provider would connect the user to the correct internal and cloud resources. This has the added benefit of enabling workers to connect directly to a cloud service bypassing the connecting into the company network and back out.  Given the amount of traffic going to and from the cloud, having users go direct to cloud will save a significant amount of bandwidth and money. Users will also have a better overall experience as their connection to the cloud won’t be “trombining” into a centralized hub and back. A single connection method also allows for a unified set of policies to be applied.   A cloud service allows for corporate policies to be enforced across all traffic regardless of source and destination.  This includes legacy WANs, SD-WANs, branch office connections, cloud and mobile connectivity – multiple connection types, one policy. From a user perspective, this has the benefit of making access and security transparent.  In a sense, the cloud acts an overlay that masks the underlying complexity. Instead of making the user the integration point, the cloud takes that role. The world is becoming more dynamic and distributed, which means silos are bad as they tend to be centralized and static.  Rethinking access so it no longer lives in silos is crucial to ensuring users can indeed do what they need to, when they need to, regardless of location.

2018 SD-WAN Survey: What Enterprises Want From Their SD-WAN Vendor

SD-WAN adoption is seeing rapid growth as companies look to streamline their WAN infrastructure and move toward more cloud-based applications. Much of the growth in... Read ›
2018 SD-WAN Survey: What Enterprises Want From Their SD-WAN Vendor SD-WAN adoption is seeing rapid growth as companies look to streamline their WAN infrastructure and move toward more cloud-based applications. Much of the growth in SD-WAN adoption is from companies looking for ways to reduce the number of physical devices required to support applications as well as lower the cost of maintaining technology deployed in remote locations. The list of vendors offering SD-WAN services is growing, and we felt the time was ripe to go out and ask the tough questions about what it is these companies are looking for when selecting a vendor and what other factors are on their mind. Our 2018 survey included over 700 respondents from IT enterprises that currently run MPLS backbones. Of those respondents, 72 percent of them are from organizations with 10 or more locations, and 57 percent indicated their organizations had 2-4 physical datacenters. Six areas were covered in the survey. 1. Complexity of Security Networks is Driving Change In June 2017, the world's largest container ship and supply vessel operator Maersk was infected with the Petya ransomware and lost revenue of approximately $300m. The company maintains offices in 130 countries with 90,000 employees. Maintaining security on a network with hundreds of locations is a challenge, and a security breach could mean lost revenue and compromised client or intellectual data. Organizations with far fewer locations and employees than Maersk are equally challenged with the complexity of securing the WAN that requires a plethora of costly hardware devices along with having staff with the skill sets to manage them all. As cyberattacks increase and evolve, effective network security is critical. Results from the survey reveal problems stemming from complexity are driving organizations to find solutions that simplify security and the underlying infrastructure. Streamlining the network security infrastructure and providing secure Internet access from any location were the top 2 reasons for moving to SD-WAN in 2018. 2. Cost Reduction Remains a Driving Force for Enterprises Which priorities did you achieve after SD-WAN deployment? Forty-two percent said it reduced the cost of MPLS service. Anyone managing an MPLS network knows what a costly endeavor it is, and many are looking to SD-WAN to reduce the high monthly overhead MPLS presents. Fisher & Co, a global manufacturing firm, was running an MPLS network that was costing them $27,000 per month. Their MPLS configuration also required a stack of appliances – firewalls, routers, and WAN optimization – at each site that added costs and complexity. Looking to reduce costs, they moved their network to Cato Cloud, which cut their monthly expenses by two-thirds. Ancillary benefits from the move include creating a single network with built-in security, elimination of appliance stacks at each site, and increased WAN capacity. 3. The Importance of Branch Security for Enterprises Moving to an SD-WAN Network The spread of massive ransomware outbreaks has heightened the awareness of the need to secure not just the datacenter, but branch offices as well. Participants in the survey reflect this when asked about how threat protection plays a critical role in SD-WAN decision making. Eighty-seven percent said it is critical or very important in their decision making. Pet Lovers Centre, a pet supply retailer based in Singapore, realized they needed to take action to improve the security of their 105 sites which include 65 locations in Singapore and 40 franchises. They had IPsec VPN from each store to the datacenter. Other than the datacenter and four stores, none of the locations had firewalls to protect them against malware and other attacks. Protection was particularly important as employees accessed the Internet directly. Considering his options, CEO David Whye Tye Ng, felt neither MPLS nor deploying security appliances could meet his needs for low-cost, rapid deployment, and ongoing management. He found that deploying an SD-WAN solution with a fully integrated security stack, which included next-generation firewall (NGFW), secure web gateway (SWG), Advanced Threat Prevention, and network forensics, met his budget and security requirements. As a result, they now have significantly improved their security posture and have tight controls on their security at each branch location. 4. Support For Cloud Applications Is Now a Requirement, Not a Luxury It’s no surprise that the use of cloud datacenters and cloud applications has grown exponentially, especially for global enterprises. Sixty-five percent of survey respondents have at least one cloud datacenter, while nearly half (45%) have two or more cloud datacenters. An overwhelming 78 percent said they use at least one cloud application such as Office 365. MPLS is not inherently well suited for the cloud because most often traffic from users is backhauled to reach the cloud causing bottlenecks and latency. This is a driving factor for enterprises to look to SD-WAN to improve WAN and mobile access performance to cloud providers like Amazon AWS. The Internet is the shortest path to the cloud, and because SD-WAN uses Internet connections, users see less latency than first backhauling across an MPLS network. 5. SD-WAN and the Rise of Co-Management When choosing to implement SD-WAN, there’s the option of going with an appliance-based solution or SD-WAN as a service. It’s interesting to note, respondents from the survey in 2017 – 30 percent were using SD-WAN as a service, and in 2018 that number rose to 49 percent. Appliance-based solutions have their problems such as erratic Internet, limited security, and integration complications. In contrast, service-based solutions have private backbones, built-in security, and are fully managed. Of the services-based solutions, respondents prefer the co-managed approach whereby the customer has some control to make changes such as security policy updates. 6. The Evolution of What ‘SD-WAN’ Means - The Rise of SD-WAN 3.0 Technology shifts and business drivers are exerting pressure on the WAN, shifting from a resource that simply connected offices to a resource that connects offices, cloud datacenters, SaaS applications, and mobile users. The technology of SD-WAN itself has transformed over time to meet these pressures, and has undergone 3 major developments: SD-WAN 1.0: Starting out, SD-WAN didn’t provide any network virtualization. The problem it addressed was the issue of last mile bandwidth and availability. It solved that challenge by providing link bonding at the edge. SD-WAN 2.0: Over time, businesses required increased WAN performance and agility. So SD-WAN vendors began to provide a virtualized network with the ability to optimize traffic with application-aware routing. SD-WAN 3.0: Today, many organizations have a mix of offices, cloud, mobile, and SaaS applications that all need to connect simply and securely. By providing a single, unified platform to connect all devices, SD-WAN meets the requirements of a secure, universal network that reduces MPLS cost, eliminates appliances, and streamlines operations. To learn more about our survey and the future of SD-WAN, watch the full survey webinar “State of the WAN 2018”  here.

SD-WAN Use Cases – Where to Start with SD-WAN

SD-WAN is all the rage in enterprise networking these days. IT teams are excited about the opportunities SD-WAN creates to transform their networks. Scarred by... Read ›
SD-WAN Use Cases – Where to Start with SD-WAN SD-WAN is all the rage in enterprise networking these days. IT teams are excited about the opportunities SD-WAN creates to transform their networks. Scarred by slow, rigid and complex technologies, like MPLS, and complex command line interfaces, networking professionals are turning to SD-WAN to usher in an era of automated and intelligent networks. But wait. All IT projects and initiatives need a compelling use case to get off the ground, with tangible benefit to justify the investment.  Below are some of the use cases that can launch your SD-WAN project. Improved WAN resiliency, availability and capacity The network is the core of our digital business. Many organizations procure MPLS services  to maximize the availability and uptime of the network. But MPLS uptime promise comes at a very high cost. At the end of the day, even carrier SLAs can't circumvent cut fibers from negligent roadwork. Many organizations have a secondary Internet link as a failover option in case of an outage. But the capacity of secondary connection are unused for daily operation, and failover is often harsh, impacting user productivity. SD-WAN enables IT to augment MPLS with high-capacity Internet connections from a separate provider. SD-WAN automates the use of both links concurrently using a feature called Policy Based Routing (PBR). PBR matches application traffic to the most appropriate link in real time. If a link fails, PBR will automatically select the alternative link and prioritize traffic by business need to make sure the location remains connected while the underlying services issues is resolved. The combination of the two links through SD-WAN and PBR increases overall resiliency and availability. At the same time, the added capacity increases overall usable bandwidth at the location. Bottom line: SD-WAN enables the continuous intelligent use of multiple transports to improve network resiliency, availability and capacity to enable uninterrupted user productivity. Affordable global connectivity for branch offices and mobile users Global organizations had to rely on expensive global MPLS services to achieve a predictable and consistent network experience for enterprise users. If you couldn't afford it, the only other alternative was the unpredictable public Internet. SD-WAN promises to reduce MPLS costs by leveraging inexpensive, Internet connections. In regional scenarios, and especially in the developed world, the Internet is pretty reliable over the short haul.  But replacing MPLS with Internet connectivity can be challenging in a global context. Customers require SLA-backed connectivity to ensure consistent network service. This calls for a classic hybrid WAN configuration where MPLS must be kept as a production transport. For mobile users, MPLS or SD-WAN appliances aren’t  an option, yet mobile users have the same global optimization needs. Look into solutions that extend the SD-WAN fabric to mobile users globally. Bottom line: SD-WAN appliances rely on at least one consistent and predictable transport. To eliminate the cost of MPLS in the global context, look for an affordable MPLS alternative and ways to apply SD-WAN for mobile access. Securely extending the enterprise WAN to the cloud Over the past few years, enterprises started migrating some of their applications to cloud datacenters like Amazon AWS and Microsoft Azure. This change, along with the use of cloud applications like Office 365, has impacted the traffic patterns of the enterprise network. Instead of going from the branch to the datacenter, often over dedicated MPLS links, an increasing share of the traffic is destined to the cloud. Branch-to-datacenter backhaul is wasting MPLS capacity and adds latency because the traffic that reaches the datacenter ultimately needs to reach the Internet. By incorporating Internet based connectivity in the branch using SD-WAN, it is possible to exit Internet- and cloud-bound traffic at the branch and avoid backhauling. It is important to note that this architecture must address security at the branch as it was previously addressed in the datacenter. Basic firewalls included with most SD-WAN appliances provide very limited security and threat protection. Full blown next generation firewalls in each location create an appliance sprawl and a management headache. To address these challenges, Firewall as a Service (FWaaS) solutions can be considered to secure Internet access without the need to deploy physical security appliances alongside SD-WAN appliances. Furthermore, optimizing cloud access from the branch is not a trivial matter. Even for regional companies, cloud datacenters and cloud applications may be far away from some or all of the business locations. Cloud traffic is not optimized with MPLS-based designs that are focused on branch to physical datacenter connectivity, and direct Internet access at the branch is using the unmanaged public Internet to reach the cloud. Alternative approaches, such as cloud networks, are optimized to address cloud traffic. They place themselves in close proximity to both customer locations and cloud destinations and use private SLA-backed backbones to optimize end-to-end performance. Bottom line: SD-WAN deployments are often driven by need to extend the business into the cloud. IT teams should be aware of the security and performance implications and verify the proposed SD-WAN designs address them. Summary If you are in the market for SD-WAN technology, all of these use cases are likely on your roadmap. Better network resilience and capacity, secure and optimized cloud integration, and high performance global connectivity are all major business drivers. Thinking how to address them holistically will ensure high business impact for your WAN transformation project.

Inside Gartner’s 10 Worst Networking Practices

No networking team plans to become inefficient. But in the rush to solve today’s pressing problems, inefficient practices creep into many organizations. A recent Gartner... Read ›
Inside Gartner’s 10 Worst Networking Practices No networking team plans to become inefficient. But in the rush to solve today’s pressing problems, inefficient practices creep into many organizations. A recent Gartner research note identified the worst of these networking practices, their symptoms, and what you can do about them. We thought the report to be so informative that we’ve made it free to download for a limited time. Download it from here. The report, “Avoid These 'Bottom 10' Networking Worst Practices,” by Andrew Lerner, Bill Menezes, Vivek Bhalla, and Danellie Young  identifies the most common “bad” networking practices Gartner analysts have seen over the course of several thousand of interactions with Gartner clients.  Often, these practices grew out of the best intentions, evolving incrementally over time. The research categorizes these practices in four categories — cultural, design and operational, and financial: Cultural “worst practices” describe a general attitude towards towards innovation and collaboration. Specific examples include excessive risk avoidance, adherence to manual network changes, and network silo-ism. Design and operational “worst practices” describe a set of practices that impinge on network agility, increase costs, and complicate troubleshooting. These include the accumulation of technical debt, lack of a business-centric network strategy, WAN waste, and limited network visibility. Financial “worst practices” describe the decision making process where companies are led to  vendor lock-in and to taking questionable advice from vendors or resellers pushing their own agenda. With each practice, Gartner explains the context of the specific practice, identifies symptoms, and provides concrete actions you can take to address the practice in your organization. With “excessive risk avoidance,” for example, Gartner explains that because a disproportionately high degree of responsibility for  overall IT system availability falls on the networking team, personnel are heavily motivated to maintain high-availability infrastructures. More broadly, the focus on availability and concern about downtime fosters a culture of risk avoidance. Caution isn’t a bad thing, but excessive caution can result in a reluctance to even consider new architectures, refusal to assess new or non-incumbent vendors, and insist on delivering over-engineered solutions. A very practical example — MPLS. Gartner explains that some companies will use MPLS at all branch locations without regard for the availability, performance, applications and capacity needs of the users at the location. What can be done? Since risk avoidance stems from the desire to limit network outages, Gartner explains that “...organizations must shift the way network downtime is handled in their organizations. This requires incorporating "anti-fragile" designs and enabling blameless postmortems. Further, network leaders must foster innovation and encourage appropriate risk taking rather than risk avoidance.” For  further ways to address “excessive risk avoidance” and the rest of the Gartner “worst” practices, download the report for free here.

SD-WAN and Cloud Security

Cloud computing has been an integral part of the modern enterprise for some time. No longer an emerging technology, cloud computing is now used in... Read ›
SD-WAN and Cloud Security Cloud computing has been an integral part of the modern enterprise for some time. No longer an emerging technology, cloud computing is now used in everything from applications, storage, and networking. With vendors like Amazon AWS and applications like Office 365, the cloud computing market is projected to reach $411B by 2020. Gartner predicts that by 2021, 28% of all IT spending will be for cloud services. Companies needing to connect their users to the services in the cloud, who have been using a wide-area network (WAN) with MPLS for security, are seeing the benefits of using a software-defined wide-area network (SD-WAN) for connectivity. SD-WAN is used to connect enterprise networks over large geographic distances more efficiently across any available data transport, such as MPLS, LTE, or broadband.  Gartner predicts that by the end of 2019, 30% of enterprises will have deployed SD-WAN in their branch locations. Cloud Security Issues Moving to the cloud introduces some complexity and concerns around performance, security management, simplicity, and costs. Traditionally, enterprises configure their WAN in a classic hub-and-spoke topology, where users in sites access resources in headquarters or a datacenter. Bandwidth-intensive traffic, bound for the Internet and cloud, are backhauled across the MPLS WAN. However, using MPLS bandwidth to backhaul Internet data to a secure location is expensive and affects performance. Other solutions like building regional hubs are still costly and complex. The concept of a regional hub is that branches are organized into logical regional groups that connect back to a hub located within a reasonable distance that makes sense for that group of locations. Delivering DIA locally will require the deployment of IPS, malware protection, next-generation firewall (NGFW) and other advanced security services at each site or, in the regional hubs, increasing costs and complexity. DIA at multiple remote sites bypasses data center security services, weakening an organization’s information security posture.  The lack of SLAs for broadband Internet and limited MPLS capacity results in unpredictable performance slowdowns. Adding cloud services to an enterprise network introduces new decisions to be made regarding firewalls and other threat management devices. Cloud providers package basic firewall capabilities with their services, but are insufficient for most enterprises and usually aren’t long terms solutions. Oftentimes the firewall solution for the cloud is not the same for the WAN, which means managing various vendors or models with decentralized security policies. Cloud services can be provisioned on-demand, requiring that the enterprise firewalls and Unified Threat Management (UTM) solutions be elastic to meet the needs and resources of the company at any given time. Cloud Security Solutions An effective solution to securing cloud services while also improving performance and security across the WAN is a cloud-based SD-WAN solution. A cloud-based SD-WAN offers more than just an SD-WAN by: Connecting businesses to a global network, secured by enterprise-grade security services, enforcing a unified policy and managed via a cloud-based management application. Eliminating the need to manage multiple different security products and devices by providing a centrally managed security solution that provides visibility across the entire WAN. Using the cloud-based SD-WAN solution from Cato provides significantly richer security than the basic firewall capabilities cloud providers bundle with their offerings. Features such as NGFW, advanced threat protection with Cato IPS, and network forensics are converged together into a unified security platform for protecting locations connect to the WAN and mobile users, not just the cloud. Performance latency issues caused by backhauling traffic is eliminated with Cato’s SD-WAN as a service. The Cato Cloud connects all resources including data centers, branches, mobile users and cloud infrastructure into a simple, secure, and unified global network. Eliminate costly connectivity services, complex point solution deployments, capacity constraints, maintenance overhead, and limited visibility and control. Cato has also built a full network security stack directly into its global network. This architecture extends enterprise-grade network security protection for every business user and location without requiring edge security appliances. Inspection and enforcement are applied to both WAN and Internet-bound traffic as well as TLS encrypted traffic. Cato engineers update the cloud-based software to address emerging threats and scale the cloud infrastructure to support any traffic volume. It also offers the capability to immediately scale bandwidth up or down, ensuring that critical applications receive the bandwidth they need when they need it. Customers no longer need to patch sprawling appliances software or upgrade dated and underpowered hardware. Security policies can be applied to corporate-wide or specific users and locations, securing access to both on-premise applications, cloud data centers, and public cloud applications. Rohit Mehra, Vice President of Network Infrastructure at IDC, sums it up by saying, "By its very nature, SD-WAN optimizes connectivity and increases network visibility. Its dynamic capabilities allow network managers to respond to threats as they happen more rapidly. And SD-WAN offers micro-segmentation, through which companies can further protect traffic with user-defined policies that dictate how an application is delivered and isolate infected machines if a breach occurs." Learn more about Cato Cloud and other SD-WAN technologies by subscribing to the Cato blog.

Multi-Segment Optimization: How Cato Cloud Modernizes WAN Optimization for Today’s SD-WAN

As our networks have evolved so to have the challenges of optimizing application performance. Our new eBook,  “Cato Networks Optimized WAN and Cloud Connectivity”, analyzes... Read ›
Multi-Segment Optimization: How Cato Cloud Modernizes WAN Optimization for Today’s SD-WAN As our networks have evolved so to have the challenges of optimizing application performance. Our new eBook,  “Cato Networks Optimized WAN and Cloud Connectivity”, analyzes those challenges and explains Cato’s unique approach to overcoming the performance limitations in today’s cloud- and mobile-centric organizations. WAN optimization was designed to overcome the limitations of MPLS-based networks. Bandwidth was expensive, which made every bit of performance essential (and, yes, pun intended). WAN optimization compensated for the latency and limited bandwidth of MPLS. Appliances deployed in branch offices and the private datacenters housing corporate applications addressed those factor, improving network throughput. And with MPLS’s high-costs, cost justifying WAN optimization was often relatively straightforward.   But shifts in how we work and cloud adoption have changed that optimization-equation significantly. For one, embracing SD-WAN and the Internet means we’ve eliminated the high-costs and limited bandwidth of MPLS. Saving Internet bandwidth is simply less of a priority today than it was 10 years ago. At the same time, minimizing the packet loss and the latency become far more important as applications are subject to the unpredictability of Internet routing. And while IT had the freedom to improve MPLS performance with physical appliances that’s often not the case with today’s business. Cloud adoption means locating appliances within the datacenter may be difficult if not impossible and, regardless, users often work remotely, beyond the reach of WAN opt devices. Cato’s unique multi-segment optimization addresses these challenges, bringing global coverage and MPLS-like latency at a fraction of the cost. “During our testing, we found latency from Cambridge to Montreal to be 45 percent less with Cato Cloud than with the public Internet, making Cato performance comparable to MPLS,” says Stuart Gall, Infrastructure Architect in the Network and Systems group at Paysafe, a leading global provider of end-to-end payment solutions (see figure). [caption id="attachment_4869" align="aligncenter" width="840"] Data transfer testing between Montreal, Cambridge, and India[/caption] “We were getting 2 Mbits/s of throughput on our SSL VPNs from North America to Israel,” says Oren Kisler, Director of IT Operations at Stratoscale, a provider of cloud-building blocks for modernizing enterprise on-premise environments. “With Cato, we saw throughput jump more than eight-fold, reaching 17 Mbits/s.” [caption id="attachment_4870" align="aligncenter" width="840"] Cato’s network optimizations improved Stratoscale’s data throughput by more than 8x.[/caption] The Cato Cloud bring a range of optimizations to meet the challenges for improving performance across the entire enterprise — locations, mobile users, and cloud resources. To learn more, download the ebook here.

Firewall as a Service vs UTM

Every organization eventually needs to re-evaluate their existing firewall vendors. This can be a result of a vendor issuing an EoL (End of Life) announcement,... Read ›
Firewall as a Service vs UTM Every organization eventually needs to re-evaluate their existing firewall vendors. This can be a result of a vendor issuing an EoL (End of Life) announcement, budget constraints, product limitations, a pending hardware refresh, or some other unavoidable consideration. In these situations, network managers need to evaluate the state of their vendor’s firewall and the future viability of their security software and hardware. Many organizations have migrated from traditional firewalls by investing in NGFWs (Next Generation Firewalls).  NGFWs emerged more than a decade ago in response to enterprises that wanted to combine traditional port and protocol filtering with the ability to detect application-layer traffic.  More recently, UTM (Unified Threat Management) firewalls were developed for not only firewall functionality among small and midsize businesses, but also for integrating anti-malware, anti-spam, and content filtering in a single appliance. However, enterprise networks have evolved with the rise of cloud services and mobile users. UTMs were not designed to secure cloud infrastructure so a new class of network security products were created for cloud security: the Cloud Access Security Broker (CASB).  CASBs work by ensuring that network traffic between on-premises devices and the cloud provider complies with the organization's security policies. However, this solution led to the fragmentation of security controls, and mobile users are still not addressed by this solution.  This configuration also led to administration and maintenance issues. Appliances eventually run into capacity constraints and vendor EoL cycles. Appliance sprawl and the high overhead of configuring, patching, and upgrading appliances at each location are constant headaches. Rather than taking a patchwork approach to fixing these issues, Firewall as a Service (FWaaS) offers an alternative, comprehensive solution. How Firewall as a Service Works The essence of a FwaaS solution is to provide a full network security stack in the cloud by eliminating the care and maintenance associated with traditional network security appliances. FWaaS solves the issues faced by other security solutions by enforcing a comprehensive security policy on both Internet-bound traffic and users in fixed and mobile locations.  All enterprise traffic is aggregated into the cloud, allowing the entire organization to connect to a single global firewall with a unified, application-aware security policy. FWaaS was recently recognized by Gartner as a high impact, emerging technology in infrastructure protection. It presents a new opportunity to reduce cost and complexity, and provides a better overall security solution for enterprises.   FWaaS has 4 primary advantages over older solutions: No capacity constraints Always current. No user requirement for software maintenance and vulnerability patching Simplified management Ability to inspect traffic across multiple networks No Capacity Constraints Appliances are limited by physical capacity and active services, and typically have an EoL cycle of 3-5 years.  FWaaS is able to scale as needed to process traffic and can seamlessly upgrade with new capabilities and countermeasures without being limited by capacity restrictions and equipment upgrades. No Software Maintenance and Vulnerability Patching UTM appliances require periodic maintenance windows resulting in the risk of downtime and the attention of network staff.  In contrast, a FWaaS provider handles all the updating, patching, and enhancing of the network security software. Simplified Management Firewall administrators are familiar with the challenges of maintaining consistent security policies across sites.  UTM appliances are no exception, with rules for each appliance requiring diligent maintenance. With FWaaS, one logical rule set is created to define access control across enterprise resources.  A single policy is centrally managed for all sites and mobile users, simplifying WAN security administration. Having a single policy also eliminates contradictory rules that could introduce security holes in the network. Inspecting Traffic Across Multiple Networks Utilizing FWaaS provides full visibility to all WAN and Internet traffic. For example, traffic can be inspected for phishing attacks, inbound threats, anomalous activity by insiders, sensitive data leakage, command and control communications, and more.  By inspecting traffic across multiple networks, network administrators can detect threats earlier and quickly adapt their security policies as needed. Whether deciding to  upgrade existing firewalls, change firewall vendors, or move to FWaaS, it’s important to consider the value of centralizing security policies and network visibility. FWaaS offers advantages over UTM firewalls and leverages advances in software and cloud technologies to deliver a wide range of network security capabilities  wherever businesses need it. Visit Cato Network’s blog for more information on FWaaS and case studies of companies that have successfully moved beyond appliance based security solutions. Read more about the best cloud firewall.

Top Webinars on SD-WAN Technology and Solutions

According to a report from Forrester, 90% of Network Managers are looking to evolve their WAN with a software-defined approach.  IT Managers and business leaders... Read ›
Top Webinars on SD-WAN Technology and Solutions According to a report from Forrester, 90% of Network Managers are looking to evolve their WAN with a software-defined approach.  IT Managers and business leaders may find it hard to find time to attend conferences, and webinars are a great alternative to stay current on the latest technologies.  Below are valuable on-demand webinars that answer crucial questions about growing SD-WAN technology. Each webinar provides insight into different SD-WAN topics for IT leaders to consider. The Case for Taking Networking and Security to The Cloud Hardware-based infrastructures are being increasingly challenged to adequately address cloud migration and a mobile workforce.  Hardware-based infrastructures are also plagued by connectivity charges, appliance upgrades, software updates, and vulnerability patching. This webinar explains how Cato’s Cloud-based Secure Network offers a simple and affordable platform to securely connect all parts of an enterprise into a unified SD-WAN network with direct impact on your business. MPLS, SD-WAN and Cloud Networks: The path to a better, secure and more affordable WAN In this webinar, enterprise networking expert Dr. Jim Metzler from Webtorials, and Yishay Yovel, VP Marketing at Cato Networks, discuss the options available to enterprise IT networking and security teams to architect a secure WAN.  This includes incorporating Cloud infrastructure and the Mobile Workforce into the WAN, and using advancements in Cloud services, agile software, and affordable Internet capacity to optimize and reduce the costs of the WAN. Find out how you can take advantage of the latest capabilities to optimize and secure your regional, national, or global network. Stop Appliance Sprawl and Traffic Backhauling You know the challenges of appliance based networking and security.  Branch office appliances have limited capacity, preventing the use of many of its features when traffic volumes increase or rule sets gro. This webinar discusses providing direct and secure Internet access at remote locations, and explores how you can connect branch offices and remote locations without dedicated appliances or traffic backhauling. SD-WAN and Beyond: Critical Capabilities for a Successful WAN Transformation Now is the time to address the changing role of the WAN as enterprises increasingly move to the cloud, expand the mobile workforce, and require a secure path to the Internet.  Join enterprise networking expert and analyst Jim Metzler and Ofir Agasi, Director of Product Marketing at Cato Networks, as they discuss a survey of WAN professionals regarding the current drivers and inhibitors for WAN transformation and the deployment of SD-WAN. They also discuss best practices and core requirements for a successful SD-WAN project, and how the convergence of networking, security, cloud, and mobility can maximize the business benefits of SD-WAN. Multi-Cloud and Hybrid Cloud: Securely Connecting Your Cloud Datacenters In this webinar, discover the answer to “How can organizations securely connect all resources when multiple datacenters, mobile users, and remote locations are involved?” Hai Zamir, VP of Infrastructure at SpotAd and Ofir Agasi, Director of Product Marketing at Cato Networks discuss the connectivity and security challenges of building a hybrid and/or multi-cloud.  Find out how SpotAd connected its global organization to multiple, multi-region AWS VPCs, and learn about real customer examples of extending the legacy WAN using a secure cloud network to include cloud infrastructure and enable global user access. SD-WANs: What Do Small and Medium-Sized Enterprises Really Need to Know? Since the introduction of software-defined wide area networks (SD-WAN) small to medium-sized enterprises (SMEs) have had to consider a vast array of features targeted and designed for large organizations. Watch this webinar to learn what capabilities an SME really needs to consider when evaluating an SD-WAN.  Steve Garson, President of SD-WAN Experts, and David Greenfield, secure networking evangelist from Cato Networks, will answer some of the fundamental questions SMEs face when they evaluate SD-WANs. Learn the differences between bonding and SD-WAN, service insertion, which load balancing type is right for your business, various application performance and feature options, and security considerations. What SD-WAN Vendors Won't Tell You About SD-WANs Take a hard look at the myths and realities of SD-WAN.  Steve Garson, President of SD-WAN Experts, discusses the practical questions you should ask when evaluating any SD-WAN.  Learn what aspects of network performance SD-WAN can really improve, and when service insertion and service chaining is needed.  Discover why security is still a problem for SD-WAN (even though traffic is encrypted), and whether SD-WAN can really reduce WAN costs. 5 Ways to Architect Your WAN for Microsoft Office 365 As companies shift to the cloud, many are embracing Microsoft Office 365.  Take a practical look at how to build the right WAN for your Office 365 deployment and what the best practices are for deploying Office 365 across the WAN.  Learn why traditional networks are a poor fit for Office 365 and what components of Office 365 cause problems for networks and why. The webinar also discusses 5 architectures for deploying Office 365 and how they differ in terms of security, performance, reliability, and costs. Delivering on the 6 Promises of SD-WAN SD-WAN promises to make your network simple, agile, secure, optimized, global, and affordable.  However, there are challenges in realizing the transformative impact of SD-WAN on your network. Discover how a new SD-WAN architecture converges global backbone, firewall as a service, edge optimization, and self-service management to dramatically reduce the cost and complexity of enterprise networking.  You will also hear real-life examples of how enterprises of all sizes use Cato Networks’ SD-WAN to securely connect their global and regional locations, mobile users, and cloud resources. Want to Learn More? Cato’s secure and global SD-WAN enables customers to eliminate multiple point products and the cost, complexity, and risk associated with maintaining them. WAN transformation presents a full roadmap for streamlining the networking and security infrastructure of your organization. Stay up-to-date with the latest blogs on current WAN technologies to help your business reduce costs, improve user experience, and simplify administration.

What is Firewall as a Service (FWaaS) and Why You Need It

Since the beginning of networks, the lynchpin of network security has been the firewall.  The first network firewalls appeared in the late 1980s, and gained... Read ›
What is Firewall as a Service (FWaaS) and Why You Need It Since the beginning of networks, the lynchpin of network security has been the firewall.  The first network firewalls appeared in the late 1980s, and gained almost universal acceptance by the early 1990s.  It was not until 2009 when firewalls as we know them started to undergo a significant change with the rise of the Next Generation Firewall (NGFW) that performs deep inspection of traffic. In 2017, Gartner’s analyst Greg Young published Hype Cycle for Threat-Facing Technologies where he describes Firewall as a Service (FWaaS) as a category “on the rise” with a “high benefit” rating. So what is a Firewall as a Service and why do you need it? What is FWaaS, and Why Do You Need It? FWaaS is a new type of a Next Generation Firewall. According to Gartner’s report, Firewall as a Service is a firewall delivered as a cloud-based service that allows customers to partially or fully move security inspection to a cloud infrastructure. It does not just conceal physical firewall appliances behind a cloud of smoke and mirrors, but actually eliminates the appliance altogether. With this technology, an organization’s sites are connected to a single, logical, global firewall with a unified application-aware security policy. FWaaS takes advantage of advances in software and cloud technologies, to deliver a wide range of network security capabilities on-demand wherever businesses need, including URL filtering, network forensics, and infection prevention. All enterprise traffic from datacenters, branches, mobile users, and cloud infrastructure are aggregated into the cloud. This allows a comprehensive security policy to be enforced on WAN and Internet traffic, for fixed location and mobile users. Advantages Compared to traditional firewalls, FWaaS improves scalability, provides a unified security policy, improves visibility, and simplifies management.  These features allow an organization to spend less time on repetitive tasks such as patching and upgrades, and provides the responsive scalability to fast-changing business requirements Scalability FWaaS provides the necessary resources to perform complete security processing on all traffic, as opposed to physical appliances. IT staff also no longer need be concerned about capacity planning when upgrading security appliances. This elastic capacity allows for the rapid deployment of additional sites and changes in bandwidth requirements. Unified Policy Despite the presence of centralized management consoles, uniform policy management across all devices is difficult to achieve, especially if there is a mix of models or vendor products. For example, if some branch locations are not connected via MPLS, separate firewalls may be required, forcing security administrators to manage separate network security policies. FWaaS eliminates those issues by uniformly applying the security policy on all traffic, for all locations and users.   Visibility Solutions such as Secure Web Gateways in the Cloud don't provide visibility to the WAN.  Thus, a separate firewall solution is required for the WAN. Both Secure Web Gateways and physical or virtual firewalls deployed in the cloud also don't allow the ability to connect mobile users back to the office.  With FWaaS and SD-WAN, one logical network allows for full visibility and control. All WAN and Internet traffic, both unencrypted and encrypted, is visible to the firewall, meaning there are no blind spots and no need to deploy and monitor multiple appliances.   Maintenance Managing physical firewall appliances means maintaining the software through patches and upgrades, which introduces additional risks as upgrades can fail or are skipped altogether. With FWaaS, there’s no need to size, upgrade, patch, or refresh firewalls. Finally, IT staff can focus on delivering true value to the business through early detection and mitigation of risks without endlessly fidgeting with appliance maintenance tasks. But What About The Cloud? The Gartner report Hype Cycle for Threat-Facing Technologies, 2017 warns that while FWaaS has fast growth potential, vendors need to provide more than cost-effectiveness to convince enterprises to embrace a cloud infrastructure as a core security component. Consistently good latency need to be prioritized, and failure to integrate with other cloud services and SD-WANs is not acceptable. The FWaaS solution from Cato Networks addresses this concern by providing Firewall as a Service (FWaaS) as part of an optimized, global SD-WAN service, ensuring resilient connectivity to its FWaaS from any region or cloud service. Plans of the Future are Better Than the History of the Past

WAN Optimization vs. SD-WAN, or Why You Need Both

The widespread adoption of Software-Defined Wide-Area-Network (SD-WAN) in recent years has caused many to wonder whether WAN optimization is still necessary.  The technologies are similar.... Read ›
WAN Optimization vs. SD-WAN, or Why You Need Both The widespread adoption of Software-Defined Wide-Area-Network (SD-WAN) in recent years has caused many to wonder whether WAN optimization is still necessary.  The technologies are similar. Both improve the underlying network but they do so in different ways: WAN optimization improves the throughput of a specific link; SD-WAN improves the agility and manageability of the full network. By understanding the strengths and limitations of these two technologies you can best understand how they should be deployed and where secure access service edge (SASE) fits into the picture. Let’s take a closer look. Understanding WAN Optimization Definition of WAN Optimization WAN optimization — also referred to as WAN acceleration — refers to a collection of technologies designed to improve the throughput of a wide area network (WAN) connection. More specifically, the rise of WAN optimization began around 2004 and addressed the limitations of the limited capacity of costly MPLS and leased line connections. The Pros of WAN Optimization WAN optimization addresses MPLS limitations by tackling the three primary networking issues impacting the user experience when accessing data from across the WAN: bandwidth, latency, and packet loss. Bandwidth: Bandwidth limitations are addressed by minimizing the amount of data passed across the network. Typically this is done through compression and deduplication algorithms. To ensure applications don’t “hog” the capacity of a connection, WAN optimization appliances will also prioritize application traffic. This way applications that need immediate access to the wire, such as voice calls, for example, are guaranteed access even during heavy usage. Latency: As the distance between end-users and their data grows, bandwidth gives way to latency and packet loss as the primary determinants of session capacity. Network delay, or latency, defines how long packets take to travel from one designated point to another. Latency is often measured to the destination and back what’s called the “round trip time” (RTT). Caching techniques and protocol-specific optimizations minimize latency by reducing the number of application-layer exchanges that are necessary across the network. Packet Loss: Packet loss occurs when network congestion or problems in the physical infrastructure cause packets to be lost during transmission. It’s expressed as a percentage of packets. As a rule of thumb, Internet connections frequently experience 1 percent packet loss. Packet loss will be addressed by some WAN optimization appliances using forward error correction (FEC) that allows receiving stations to automatically regenerate lost packets without requiring transmission. The Cons of WAN Optimization While WAN optimization can improve the throughput of a single connection, it doesn’t address the agility and management requirements of today's enterprises. Furthermore, there are specific limitations to the WAN optimization technology itself: particularly as they relate to today’s enterprise challenges: Performance degradation for dynamic or real-time applications: Real-time applications, such as voice and video conferencing, are not helped by WAN optimization. These applications require low latency and real-time data transmission, and the additional processing introduced by WAN optimization techniques can potentially introduce delays and affect performance. Limited effectiveness for certain applications: Data compression and data deduplication work well with files with a lot of repeatable data, such as imaging files. But compressed files or files without repeating data patterns will not benefit substantially from the compression or deduplication of WAN optimization.  The encryption problem: Most enterprise traffic today is encrypted and data compression and deduplication are ineffective on encrypted traffic. Encrypted data cannot be compressed or deduplicated as it is already scrambled for security reasons. Limited effectiveness for certain network conditions: While WAN optimization can significantly improve network performance under normal or congested conditions, its benefits may diminish in cases where the network conditions are extremely poor, such as high packet loss or severe network congestion. In such scenarios, WAN optimization may not be able to overcome the inherent limitations of the network itself. High cost: Implementing and maintaining WAN optimization solutions is expensive, requiring specialized hardware at each site. Appliances need to be scaled as traffic levels grow.  Additionally, organizations may need to invest in ongoing support and maintenance for the WAN optimization appliances. Deployment complexity: WAN optimization can be complex to deploy,  involving the configuration and management of multiple devices across different locations. This complexity can require expertise and careful planning during the deployment process. When to Use WAN Optimization WAN optimization is a technology designed to improve the throughput and stability of an individual path on a WAN. It’s especially important when networks suffer from high latency, such as global connections. When the main challenge is a high-latency, bandwidth-limited connection carrying highly compressible traffic, WAN optimization may be the right solution. Understanding SD-WAN Definition of SD-WAN Originally coined in 2014 by Gartner, SD-WAN is a virtual WAN architecture that abstracts the applications and services from the underlying network infrastructure by creating a secure overlay between the SD-WAN devices situated at each location. The overlay is application-aware and handles all traffic steering and path selection, enabling the SD-WAN to select the optimum path for each application. Advantages of SD-WAN Whereas WAN optimization focuses on the performance of an individual connection, SD-WAN improves traffic management and agility of the overall network. More specifically, SD-WAN addresses key issues impairing MPLS networks: Reduced Costs: SD-WAN provides high throughput and reliable connections across affordable Internet lines, eliminating the costs of multi-protocol label switching (MPLS) circuits. This reduces the expense of a corporate WAN that still meets the needs of the business and its applications. Enhanced WAN Performance: SD-WAN improves WAN performance by aggregating connections for more throughput and by identifying the optimum path for each packet across the WAN. SD-WAN eliminates the “trombone effect” where traffic is backhauled through the corporate data center for security inspection. Improved WAN Agility: SD-WAN separates the network from the underlying transport, letting IT select the last-mile connection — xDSL, fiber, and 3G/4G. This provides a more agile WAN than MPLS, which requires the provisioning of dedicated circuits for new offices. Simplified WAN Management: SD-WAN can be implemented as a network of centrally-managed, identical solutions. This makes it easier to manage than other solutions for creating a corporate WAN, such as MPLS or VPNs. Increased WAN Availability: SD-WAN is capable of distributing traffic across multiple last-mile connections. This provides a high level of resiliency and availability since the solution can failover if a preferred line is unavailable. Disadvantages of SD-WAN However, SD-WAN suffers from several disadvantages when it comes to addressing the needs of today’s enterprises: Lack of Security: SD-WANs do not provide the advanced security needed to protect enterprises from today’s cyber attacks. There’s no antimalware or IPS built into SD-WAN. As such, SD-WAN devices require the deployment of firewalls and other security tools in addition to SD-WAN appliances.  Poor Global Performance: SD-WAN alone runs across the public Internet, which means it’s subject to the unpredictability of Internet routing. As such, SD-WAN cannot provide the predictability enterprise expect from their corporate networks.  Remote Access Not Included: SD-WAN was devised as an MPLS replacement to better connect branch offices. It was never extended to address the problem of hybrid and remote work. For the remote or mobile user, additional remote access software is required, increasing management complexity as IT is forced to secure, maintain, and manage a whole other infrastructure.  Poorly Suited for the Cloud: SD-WAN doesn’t naturally extend to cloud applications and cloud data centers. When to Use SD-WAN SD-WAN is a technology aimed at improving the agility and manageability of the entire WAN. As such, use SD-WAN when looking to address the limitations of legacy MPLS networks. Just be aware of its limitations: lack of advanced security, poor global performance, lack of remote access, and cloud limitations. Whichever SD-WAN provider you choose should articulate a simple migration path for addressing those challenges. Comparison between WAN Optimization and SD-WAN Both solutions are designed to improve the performance of the corporate WAN, yet they do so in different ways. WAN optimization improves network performance within the existing network medium and infrastructure. For example, it might take steps to optimize how data is transferred over the network and reduce the volume of data being transferred via caching and similar solutions. SD-WAN, on the other hand, redefines the network infrastructure. It creates a virtual overlay over one or more existing transport media and optimally and securely routes traffic between SD-WAN appliances. In essence, SD-WAN improves network performance and resiliency by making use of all available transport media and restructuring the network. WAN optimization works within the existing architecture to make it perform as well as possible. SD-WAN and WAN Optimization Working Together To take advantage of the benefits of both SD-WAN and WAN optimization, look for single-vendor SASE solutions such as Cato Networks Secure, Global SD-WAN as a Service. SASE solutions contain elements of WAN optimization and SD-WAN while addressing the limitations of both.  Cato SASE Cloud is the world’s leading single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, into a global cloud-native service.  Cato optimizes and secures application access for all users and locations - everywhere.

3 ways Cato Cloud isn’t your father’s (or mother’s) SD-WAN

IT teams are excited about the opportunities afforded by SD-WAN. Rapid deployment. Incredible capacity. If you’ve read this blog for any amount of time (or... Read ›
3 ways Cato Cloud isn’t your father’s (or mother’s) SD-WAN IT teams are excited about the opportunities afforded by SD-WAN. Rapid deployment. Incredible capacity. If you’ve read this blog for any amount of time (or followed SD-WAN’s development in other blogs for that matter) you’ll know what I’m talking about. But what’s interesting about Cato SD-WAN is that even the SD-WAN hype doesn’t do it injustice. Cato Cloud is more than just SD-WAN. It converges threat protection, cloud  security, SLA-backed networking, and optimized mobile access as well as SD-WAN into a single, global network. With so many capabilities, Cato Cloud is being used by enterprises to address a diverse range challenges beyond what’s normally seen with SD-WAN. Yishay, our vice president of marketing,  recently explored several unusual ways customers leverage Cato Cloud in our recent webinar “SD-WAN: Use Case and Success Stories.” I encourage you to listen to the replay. Here are a three examples from that webinar. Reduce latency between global locations While most webinar respondents (53 percent) identify MPLS costs as a major challenge, eliminating MPLS completely often remains impossible for SD-WAN solutions, particularly in the case of global networks. The basic challenge of global Internet connectivity is the inability to control IP routing. This leads to unpredictable latency and packet loss which impacts the user experience. As a result, organizations are often forced to maintain some MPLS investment even once deploying SD-WAN. That’s not the case with Cato. Cato Cloud is a global cloud network with ~40 PoPs across the globe. By connecting users, branches or cloud resources to any two PoPs customers can achieve optimal , SLA-backed routing between these locations. Traffic isn't subject to the erraticness of the global Internet or the costs of MPLS. “With Cato, we connected our twenty-one sites and still saved 30 percent on the costs of our (previous) six-site, MPLS network,” says Stuart Gall, the Infrastructure Architect in the Network and Systems Group at Paysafe, a leading global provider of end-to-end payment solutions. “And we didn’t compromise on performance. During our testing, we found latency from Cambridge to Montreal to be 45% less with Cato Cloud than with the public Internet and about the same as MPLS.” [caption id="attachment_4814" align="alignnone" width="410"] Performance testing: Cato Cloud vs. MPLS vs. Internet VPN[/caption] Affordable MPLS alternative As Cato provides a global network with performance comparable to MPLS, organizations find they are able to fully eliminate MPLS and dramatically reducing their WAN costs. Cutting costs, as you might example, was of major interest to webinar respondents. The overwhelming majority (78 percent) of respondents pointed to costs of MPLS managed services as a WAN challenge. Fisher & Company is a  typical example of how Cato customers reduce and get more value for their WAN spend. The manufacturer in the automotive industry relied on a managed MPLS service for its global network. The delays and costs of running an MPLS network led Kevin McDaid, the systems manager at Fisher & Company, to look at various options. “With Cato, the costs of our connection to Mexico alone dropped more than 80 percent, and we received twice the capacity,” he says (see “Cato vs.MPLS: Annual Spend Comparison”). [caption id="attachment_4815" align="alignnone" width="417"] Cato vs. MPLS: Annual Spend Comparison[/caption] Alewijnse, a global engineering firm, had a similar story. Company locations span Europe and Asia and were connected by a mix of MPLS and site-to-site VPNs. The team there was also looking to reduce MPLS costs as well as consolidate security for all locations. “With Cato, monthly costs dropped 25% and yet we still received 10x more bandwidth,” says Willem-Jan Herckenrath, Manager of ICT at Alewijnse. Branch appliance elimination Many webinar respondents (58 percent) also indicated that branch security was a major WAN challenge. Cato Cloud addresses the many challenges associated with branch appliances. Cato a includes a complete security stack, eliminating the need for NGFW, SWG, and IPS/IDS functionality in the branch. Gone the is testing, deployment, and applying of patches to security appliances. Cato Research Labs is responsible for maintaining and keeping its branch security infrastructure current. Pet Lovers Centre is a great example of the power of branch appliance elimination. The  company is a leading Asian retailer of pet products and services with more than 100 partners and locations spread across Singapore, Malaysia, and Thailand. The company needed to provide local Internet access to its stores Deploying security appliances on-site would have been too expensive and taken too long, says David Whye Tye Ng, the CEO and executive director at Pet Lovers. Instead they opted for Cato Cloud. “Before security management was tedious and slow. Now, we can implement policies immediately by ourselves,” he says. One solution to many, many problems Like the proverbial swiss army knife, Cato Cloud packs many tools into one package. Calling it simply “SD-WAN” misses the point. Cato Cloud leads to true WAN transformation converging all users, all locations, onto a single, global platform, controlled and secured by a single set of policies. Again, check out Yishay’s webinar to learn more about the incredible agility of Cato Cloud..

MPLS, VPN Internet Access, Cloud Networking or SD-WAN? Choose Wisely

When it comes to the enterprise network, decisions need to be made with cost, performance, security, and future plans in mind.  Enterprise networking is moving... Read ›
MPLS, VPN Internet Access, Cloud Networking or SD-WAN? Choose Wisely When it comes to the enterprise network, decisions need to be made with cost, performance, security, and future plans in mind.  Enterprise networking is moving from traditional hub-and-spoke WAN architectures to infrastructure that must support the migration of critical applications to the cloud.  And yet, according to Gartner analyst Joe Skorupa, "When businesses decide to move to the cloud, the network tends to be an afterthought." Many businesses today are expanding globally, relying on data and applications in the cloud, and are driven by an increasingly mobile workforce.  Rather than leave networking to be an afterthought, shrewd IT leaders reconsider the available options on an ongoing basis to ensure their enterprise networks are optimized to keep their business ahead of the competition. For your business to stay ahead of the pack, you should be looking to improve network and security infrastructure to have the flexibility and strength to handle not just today’s bandwidth demands, but tomorrow’s demands as well. So what are the options in dealing with your ever-changing enterprise network requirements? MPLS: Reliable, But Comes with a Price The popularity of MPLS deployments in corporate WAN infrastructures comes from its predictability.  Service providers can use MPLS to improve quality of service (QoS) by defining network paths that meet pre-set service level agreements (SLAs) on traffic latency, jitter, packet loss, and downtime. However, MPLS traffic from the service provider to the on-premises routers is notoriously expensive.  And provisioning with the provider can take 3-6 months. As adoption of cloud services and Software-as-a-Service (SaaS) delivery models grow, traditional MPLS network architectures become less effective. Cloud and SaaS traffic must be first brought from the branch to a secured Internet access point at central location. As such, traditional MPLS architecture find it difficult to offer low latency/high performance access to cloud and SaaS applications and services. Internet VPNs: Cheaper, But Flawed For the past decade, Internet VPNs have been a staple of many global enterprise WANs. This solution is often used out of necessity with cost pressure forcing enterprises to just deal with Internet performance limitations.  Although it provides a lower-cost solution compared to MPLS, with Internet VPNs there is no SLA regarding performance, and performance guarantee during peak hours. Internet VPNs also require physical appliances, such as routers and firewalls, to be installed and maintained at each location in the enterprise network.  Appliance sprawl is a common issue and appliance refreshes impact the cost savings of the solution. SD-WAN: The New Contemporary Software-defined WAN (SD-WAN) is a new approach to network connectivity that lowers operational costs and optimizes resource usage for multi-site deployments. This allows bandwidth to be used more efficiently and ensure the highest possible level of performance for critical applications without sacrificing security or data privacy. According to the Gartner report, Market Guide for WAN Edge Infrastructure published in March 2017, SD-WAN and vCPE are key technologies to help enterprises transform their networks from fragile to agile. One of the primary characteristics of an SD-WAN is its ability to manage multiple connections. The technology dynamically routes traffic over the best available transport, regardless if that’s MPLS, cable, xDSL, or 4G/LTE.  As such, SD-WAN can connect offices to multiple active transports at one time. This intrinsically allows for improved redundancy and more capacity. SD‐WAN can eliminate the backhaul penalties of traditional MPLS networks and leverage the Internet to provide high‐performance connections from the branch to cloud. With SD‐WAN, remote users can see significant improvements in their experience when using cloud or SaaS‐based applications. Another significant benefit of an SD WAN network is cost. Gartner analyst Andrew Lerner, who tracks the SD-WAN market closely, estimates that an SD-WAN can be up to two and a half times less expensive than a traditional WAN architecture. A standard SD-WAN does have its challenges.  SD-WAN directs WAN traffic across encrypted Internet tunnels. This provides the most basic security needed to send traffic over a public network. However, accessing websites and cloud applications directly from a remote office requires separate firewall services.  Companies have to extend their security architecture to support SD-WAN projects using edge firewalls, cloud-based security services or backhauling, which, of course, increases complexity and costs. Since SD-WAN uses the public Internet where latency is unpredictable, enterprises will need to maintain some MPLS capacity if they need to support latency-sensitive applications such as voice and video. Cato: Global Cloud Network + SD-WAN To address the challenges that a basic SD-WAN presents, Cato Networks is building the new Software-defined WAN, in the cloud, protected by a tightly integrated set of security services. The Cato Cloud connects all business resources including data centers, branches, mobile users and cloud infrastructure into a simple, secure and unified global network. No more costly connectivity services, complex point solution deployments, capacity constraints, maintenance overhead, or restricted visibility and control. Cato Networks’ focus has been SD-WAN from the start.  But what really sets Cato apart from other SD-WAN offerings is the global backbone the company has developed. This backbone is built across 40 global Points of Presence (PoPs) and uses connections from multiple carriers.  An enterprise-grade network security stack built into the backbone extends security everywhere without the need to deploy additional security products.  This eliminates the need for a stack of security devices at each branch location, and provides a more unified management and policy domain. Essentially, Cato provides all the benefits of SD-WAN and removes the challenges, thus making SD-WAN an elegantly simple solution that eliminates costs, streamlines operations, in a secure high performance enterprise network. It’s time to choose, and SD-WAN using Cato Global Cloud Networks is a wise choice. Learn more about SD-WAN and related topics at https://www.catonetworks.com/blog/ Related posts: Cloud MPLS - The business case for SD-WAN Cloud Network Automation

Paysafe Fixes Active Directory, Improves Throughput, and Reduces Costs By Converging MPLS and Internet-based VPN onto Cato Cloud

With executives started to complain about being unable to access corporate resources when visiting other company offices, the IT team at Paysafe knew the time... Read ›
Paysafe Fixes Active Directory, Improves Throughput, and Reduces Costs By Converging MPLS and Internet-based VPN onto Cato Cloud With executives started to complain about being unable to access corporate resources when visiting other company offices, the IT team at Paysafe knew the time was ripe for WAN transformation. Those complaints were just the symptom of the costs and complexity that had developed around their global network architecture. Paysafe is a leading global provider of end-to-end payment solutions. The company has over 2,600 employees in 21 locations around the world. Over the years, mergers and acquisitions (M&As) had left Paysafe with a mix of offices connected by MPLS and Internet-based VPNs. And it was that mix of backbone technologies that contributed to Paysafe’s access problems. The company depended on local Active Directory (AD) servers at the locations for managing permissions to applications and other corporate resources. Yet for AD to work, the servers had to replicate their data between one another. But without a fully mesh connecting all locations, AD operation became erratic with updates from the distributed AD domain controllers propagating too slowly, if at all. Users found themselves locked out of some accounts in one location but not another, explains Stuart Gall, Infrastructure Architect in Paysafe’s Network and Systems Group. But neither Internet-based VPN nor MPLS were suitable for connecting all locations. Establishing a fully-meshed Internet-based VPN was too complicated too configure. It would have meant figuring 210 tunnels, says Stuart, requiring far too much time to build and monitor. MPLS was no better. The costs were too high for many locations and then there was a lack of agility. “Deploying MPLS sites was a nightmare. Depending on where you are in the world, you could require two to three months of lead time,” he says. Instead, users ended up relying on the company’s mobile VPN solution while within their own offices, something that just didn’t sit right with Stuart. “Users might just accept that as normal, but as an engineer, I know we need to be better,” he says, “We need to go that extra mile; we need that ‘wow factor.’” SD-WAN was the logical option and Stuart ended up evaluating the leading SD-WAN appliances and services, including Cato Cloud. “The biggest eye-opener for me was that there are two completely different technology architectures called ‘SD-WAN,’” he says. “Some don’t provide the infrastructure, only doing intelligent routing over your own network or the Internet, while others include the infrastructure.” For him, the answer was obvious. “We didn’t want a routing management solution; we wanted a core network with lower latency.” Stuart evaluated other competing SD-WAN services besides Cato but had concerns about costs, security, availability, and management. “One global SD-WAN service provider was twice as expensive as Cato,” he says. Stuart also preferred how Cato enrolled new locations. “The way the other SD-WAN service provider handled security was appalling,” he says. “Cato’s security background comes through.” Cato had other advantages as well, such as availability. “In the worst-case scenario, if there were a countrywide outage, my Cato locations would automatically reconnect to the closest point-of-presence (PoP). Latency might be screwy, but at least we’d have connectivity. The other provider? Its locations would be down and require provider intervention to fix.” With Cato, Stuart can monitor, manage, and troubleshoot outages and problems himself. “The other SD-WAN service was managed only by the provider. There’s a nice visibility console but no control. Any changes require opening trouble tickets with the provider; it’s very carrier-like. With Cato, we can fully manage the SD-WAN ourselves or tap its support.” Stuart decided to converge his MPLS and Internet-based VPN networks into Cato Cloud.  With Cato, he received MPLS-like performance at Internet-like prices. “With Cato,” says Stuart, “we connected our twenty-one sites and still saved 30% on costs compared to our six-site, MPLS network.” To learn more about how Paysafe adopted Cato’s secure cloud-based SD-WAN as an affordable MPLS alternative, read the full  case study here.

Why SD-WAN is the Future of Global Connectivity

We’ve long touted the benefits of a software-defined wide area network (SD-WAN) so it’s encouraging to see that enterprises are increasingly recognizing its value. IDC... Read ›
Why SD-WAN is the Future of Global Connectivity We’ve long touted the benefits of a software-defined wide area network (SD-WAN) so it’s encouraging to see that enterprises are increasingly recognizing its value. IDC recently surveyed mid-market enterprises and found they are rapidly embracing SD-WAN infrastructure and services. Surveyed companies cited bandwidth optimization, consistent application security, improved automation, and self-provisioning as top reasons why they are considering adopting SD-WAN. Rohit Mehra, vice president of IDC’s Network Infrastructure, noted how enterprise WAN is rapidly being “re-architected to cost-effectively deliver new, secure capabilities,” and that adapting current solutions such as SD-WAN will be a “key ingredient for success.” We couldn’t have said it better ourselves, but we should explain more about why SD-WAN is a good fit for the demanding digital business needs of today. Cloud Adoption Drives The Need For Better Connectivity Cloud-based applications make the business world go round. With the evolution of the cloud, networks directly affect our access to business critical applications, data, social media services, video conferences and more. Applications aren't uniform; they don't need the same level of speed, latency and performance from a network. By boosting network capacity exactly where it is needed, SD-WAN ensures the quality of application delivery. At the same time, SD-WAN’s dynamic path selection avoids congestion points and diverts traffic to less-traveled routes. This kind of responsive load balancing lets IT easily perform the high-quality data transfers that are needed for high-performance apps. Efficient Use Of Resources The "SD" in SD-WAN could also stand for "simple deployment." These solutions couldn't be easier to implement and manage.  SD-WAN uses a virtual overlay to abstract underlying network connections, which simplifies network operations by routing critical application traffic over a high-quality connection while shifting unimportant applications usage to a lower-rung Quality-of-Service (QoS) connection. SD-WAN especially benefits global companies with multiple locations.  Gartner estimates that provisioning network changes at branch offices with SD-WAN reduces deployment time by as much as 80 percent. Not to mention, companies using SD-WAN no longer have to spend more money to re-architect bandwidth allocations at branch offices. Avoid Appliance Sprawl Network management has long been hamstrung by technology sprawl: firewall systems and appliance boxes that have to be purchased and deployed at every site. In-house infrastructure requires maintenance, upgrades, subscription renewals and, ultimately, replacement. Just as importantly, rules and security capabilities are set and you usually can't adjust the technology to improve performance. On the other hand, SD-WAN is software defined. It's not an unchangeable piece of architecture that outlives its efficacy while payments are still being made. It's flexible and allows enterprises to do more with less. With one software service, SD-WAN offers routing, WAN path selection and acceleration, and application performance, allowing IT teams to easily manage applications on a per-user and per-location basis. A True Way to Cut Costs Money matters, of course. That’s why cost savings are almost reason alone to consider SD-WAN. @Gartner analyst Andrew Lerner says SD-WAN can be up to two and a half times less expensive than a traditional WAN architecture. Cost is one of the main reasons why MPLS growth has leveled, despite massive growth in the data usage and cloud connectivity needs of enterprises. MPLS circuits are expensive and often put companies in an uncomfortable position where they have to debate sacrificing performance to keep costs in check. More often than not, enterprises have to pay for business-grade internet and several services with redundant links to meet uptime expectations. With SD-WAN, however, cheaper public internet circuits such as Ethernet, DSL, and cable are usually one-third to half the cost of MPLS links at comparable speeds. SD-WAN doesn't diminish network performance and keeps productivity humming along. SD-WAN Holds Great Promise to Revolutionize Networking As We Know it Application performance is always a top priority for enterprises, but so is the opportunity to lower IT costs.  So it’s no surprise analysts expect SD-WAN to become a must-have technology service in today’s globalized world. SD-WAN helps businesses effectively manage the network demands of cloud-based applications, while greatly reducing the costs.

10 Reasons To Choose Firewall as a Service For Your Enterprise

Recent trends in enterprise networking have created a challenge for network security engineers. The rise of mobile devices, combined with the shift to cloud based... Read ›
10 Reasons To Choose Firewall as a Service For Your Enterprise Recent trends in enterprise networking have created a challenge for network security engineers. The rise of mobile devices, combined with the shift to cloud based platforms, means that many networks no longer have a clear perimeter, where all applications and users  could be jointly protected against cyber-attacks. Today, we have to move with the times and create a more flexible way of managing security. And the tools that served us well within a well-defined perimeter of an organization will no longer suffice. Unsurprisingly,  a recent poll by Cato Networks found that 59% of respondents placed monitoring and handling of security incidents as their biggest concern. When it comes to appliance based security, key challenges we are faced with are: Appliance sprawl —  placing and managing appliances in every branch office within an extended perimeter is a massive task Appliance avoidance — allowing the end-users to directly access the Internet and SaaS applications introduces security risks and vulnerabilities into the network Forced appliance upgrades — appliance based Firewalls often require forced or unplanned upgrades due to increased traffic volume and growing SSL traffic share Mobile, remote  and cloud access — allowing mobile and remote users access to business applications results in loss of visibility and control Out of the need to protect the increasingly fuzzy perimeter, comes a new approach to cyber security — Firewall as a Service or FWaaS, the technology that delivers firewall and other network security capabilities as a cloud service, completely eliminating the appliance form factor. Gartner has classified FWaaS in their latest hype cycle report as “on the rise" technology, understanding that a more flexible approach to protecting our networks is urgently needed. Let’s look at 10 reasons why FWaaS is rapidly gaining popularity within the enterprise space: #1 Supporting a mobile workforce We are in the midst of a revolution in the way we work. With advances in networking technology, remote working is now becoming attractive to organizations of all sizes. A 2015 U.S. Bureau of Labor Statistics review of working practices finds that 38% of employees did some or all of their work from home. Enterprises are accommodating this change by allowing mobile access, SaaS, and cloud-based access to company resources and applications. This situation has smashed the concept of an enterprise perimeter wide open. Perimeter security technologies can no longer offer the flexibility and scope needed in a modern enterprise. This is where FWaaS steps in. Common practice to securing mobile users is to backhaul traffic through the company datacenter. Essentially all traffic is pull back to an on-premise firewall and from there put out onto the Internet. When all users need to connect to central location to access cloud applications, performance and latency issues arise. Another way to secure mobile and remote traffic is by and securing internet  traffic locally, causing appliance sprawl. FWaaS eliminates the issues above by connecting mobile users through a global SLA-backed cloud network that connects all traffic, users and resources, including access to cloud and SaaS applications by mobile and remote users. #2 Single global firewall FwaaS truly eliminates the appliance form factor. Firewall as a Service makes firewall services available in all branch locations without the need to install additional hardware. The result?  A single, logical global firewall with a single application-aware security policy for your entire organization. #3 Avoiding appliance sprawl The lifecycle of handling, maintenance, configuration, policies, upgrades, which all requires immense effort and adds failure points to a network, are eliminated with  FWaaS. By taking your firewall function to the Cloud, FWaaS eliminates the need for appliance build-up, so you don’t need to worry capacity planning or maintenance issues. FwaaS is fast to deploy, and is very flexible - you can grow at a click of a button, without having to invest in expensive appliance upgrades. #4 Performance One of the biggest issues with appliance-based security is that the physical devices are limited by performance.   When the physical device faces increased load from higher traffic volume or additional processing is required to decrypt an increased volume of SSL traffic, the appliance often has to be upgraded to meet growing capacity requirements. Due to budget constraints, the limitations of physical appliances often force you to pick and choose between security vs. cost efficiency. As a result, remote branch security often suffers. Using FWaaS you no longer need complex sizing processes to determine the appliance capacity. Firewall as a Service allows you to grow your business organically with unrestricted scalability. #5 Improved end-user experience Both direct internet access (appliance avoidance) and appliance sprawl make the lifecycle of perimeter security management onerous. Options like  MPLS/VPN create poor end-user experience since the traffic routed over the public internet can suffer from high latency and packet drop. Using an MPLS network and routing the traffic comes with high costs. FWaaS avoids all of these problems and builds a user-friendly, yet secure, environment. #6 Full visibility Today’s dynamic networks require a different approach. Many companies are dependent on expensive MPLS based WAN networks to connect remote branches. Backhauling traffic through central location results in “trombone effect, when remote users try to access SaaS and cloud-based business applications. This setup results in lack of control and visibility into the network. By moving the firewall itself into the cloud, enterprises can benefit from centralized management and unique security powered by full visibility into the entire network. #7 Unified security policy With FwaaS you can uniformly apply the security policy across all traffic, for all locations, and or all users, including mobile, remote and fixed users. Firewall as a Service supports the centralized management of security policy, enabling network-wide policy definition and enforcement. #8 Keeping it simple Maintenance and ongoing configuration management of appliances is a time-consuming and resource-intensive affair. In contrast, one of main advantages of FWaaS is its an uncomplicated architecture. It is fast to deploy and easy to maintain, offering a better network security option to overburdened IT teams. Instead of wasting time on sizing, deploying, patching, upgrading, and configuring numerous edge devices, work can shift to delivering true security value through early detection and fast mitigation of risk. Requirement or prompt software upgrades is removed. Capacity planning and deployment are fast and easy to maintain. #9 Flexibility and scalability One of the most important and timely features of an FWaaS is the scalability of the service. FWaaS can grow with a click of a button. Unlike appliance-based firewalls that require replacement or upgrade of a physical device when bandwidth exceeds firewall throughput, FWaaS is designed to effortlessly scale as bandwidth increases. #10 Comprehensive Security Last, but not least, the security offered by a Firewall as a Service is a better fit for a modern extended enterprise network.  FWaaS offers a centralized policy service with greater visibility, unique security features, and shared threat intelligence. With FWaaS, the entire organization is connected to a single, logical global firewall with a unified application-aware security policy. It aggregates all enterprise traffic into the cloud and then enforces comprehensive security policy on all traffic and users, both fixed location as well as mobile. To sum up, FWaaS is a scalable and manageable way of protecting your network. A global policy based service, that auto-scales to any traffic load is a prerequisite for this new era of distributed business working. FWaaS offers an enterprise a simple, flexible, and secure method of protecting their resources, whilst ensuring that overworked IT teams are not overburdened with complicated appliance care.

2018 Networking Survey: The Curse of Complexity Continues

The patchwork of appliances and network services comprising our wide area networks (WAN) have been with us for so long it’s easy to overlook their... Read ›
2018 Networking Survey: The Curse of Complexity Continues The patchwork of appliances and network services comprising our wide area networks (WAN) have been with us for so long it’s easy to overlook their impact on IT. High capital costs, hours spent maintaining and updating appliances, protracted troubleshooting times —  so many of the networking challenges facing IT can be attributed to isolated factors whose only commonality is network complexity. It’s this “curse of complexity that became a major theme in our new report,  State of WAN 2018: Too Complex to Ignore.” The report canvassed 712 IT professionals about the factors driving, supporting, or inhibiting WAN transformation projects. All respondents came from organizations with MPLS backbones. They represented a cross-section of the IT market with telecommunications, computers & electronics, and manufacturing being the most popular sectors. More three-quarters were from organizations with more than 10 locations, and more than half (57 percent) indicated their organizations had 2-4 physical datacenters. Key issues covered in our research included: The major drivers for networking transformation The benefits expected and realized by SD-WAN adopters Insight into how SD-WAN adopters view SD-WAN appliances and services Which cloud datacenter services and applications are most prevalent among enterprises The types of security architectures enterprises are evaluating for protecting cloud resources and mobile users But it was the problems stemming from complexity and it’s answer — simplification — that emerged from respondents’ answers. The most blatant indicator of which came in how  respondents expected to use SD-WAN in 2018. Simplifying the network or security infrastructure was the primary use case for SD-WAN in 2018, drawing half of all respondents (50 percent). Network & security simplification is the primary use case for SD-WAN in 2018 Complexity also emerged as respondents pointed to their primary networking and security challenges. “Equipment maintenance updates” was the number two challenge while “managing the network” was number four. Anyone who's spent time maintaining the appliances of our networks knows all too well about the challenges. Enormous efforts are spent staging, testing, deploying, installing and new patches and upgrading the numerous appliances in their networks. All of which makes network management far more difficult and time-consuming than necessary. And while SD-WAN helps simplify the network in many ways, alone it’s insufficient, requiring other appliances that collectively increase complexity. More specifically, protecting the branch from Internet-borne threats is critical if businesses are to use broadband to improve cloud performance and reduce WAN costs. The majority (81 percent) of respondents deploying SD-WAN in the next 12 months, identify “protecting locations and the site-to-site connections from malware and other threats” as a “critical” or “very important” priority in their SD-WAN decision making. Threat protection will  be integral to SD-WAN adoption Yet most SD-WAN solutions do not natively provide threat protection or, for that matter, or native cloud service (datacenters and applications) connectivity. Integration projects are needed to tie external security appliances into the SD-WAN or to stretch the SD-WAN overlay to cloud resources if it can be done at all. No surprise then to find that nearly a third of respondents say SD-WAN appliances are still too complex. Even SD-WAN services whose express intent is to simplify network deployment are still too challenging with a quarter of respondents labeling SD-WAN services as too complex. To learn more about the challenges enterprises are facing with network, security, mobile, and cloud infrastructure, read our analysis and see the full results for yourself in published report.

Stratoscale Boosts Throughput 8X with Cato Cloud

Delivering the necessary throughput to distributed teams remains a challenge for IT professionals. The unpredictability of the Internet can wreak havoc with long-distance connections. Just... Read ›
Stratoscale Boosts Throughput 8X with Cato Cloud Delivering the necessary throughput to distributed teams remains a challenge for IT professionals. The unpredictability of the Internet can wreak havoc with long-distance connections. Just ask Stratoscale. Background The company provides cloud building blocks to modernize and future-proof the enterprise on-premises environment. The research and development (R&D) is spread between its Israeli headquarters and North America. Approximately 100 internal users connect to Stratoscale’s network with additional developers in Canada connecting to the Israeli datacenter via SSL Virtual Private Networks (VPNs). Challenge Stratoscale developers routinely pulled down Docker files from the Israeli datacenter. While working within the office, developers benefited from a 1 Gbits/s Internet connection, but remotely performance became an issue. The combination of Docker’s large file sizes and high Internet latency meant retrieving a Docker image could take “hours,” says Oren Kisler, Director of IT Operations at Stratoscale. Purchasing an MPLS service or deploying WAN optimization appliances weren’t feasible.  MPLS price tag was “higher”and WAN optimization is a site-to-site solution, says Kisler. “Neither is suitable for developers working offsite.” Instead, Stratoscale turned to Cato’s secure cloud-based SD-WAN to more than quintuple remote Internet throughput. To learn more about how they improved  mobile access optimization, read the complete case study here.

What To Look For in a SD-WAN Vendor

MPLS networks have been the standard configuration for enterprise networks for years, providing predictability and availability. However dependable, MPLS comes with its own set of... Read ›
What To Look For in a SD-WAN Vendor MPLS networks have been the standard configuration for enterprise networks for years, providing predictability and availability. However dependable, MPLS comes with its own set of challenges, such as expensive connectivity and long deployment times.  MPLS is much more expensive compared to standard Internet, and can take anywhere from 60-120 days to provision. MPLS also doesn’t address cloud or mobile traffic, which is a major issue for enterprises. Security policies for MPLS based networks need to be managed at each site and the various appliances must be continuously updated and upgraded. Many organizations today are choosing to migrate to SD-WAN (software-defined wide area network), because it can eliminate the challenges of MPLS networks.  SD-WAN brings software defined networking (SDN) to the WAN, improving WAN management and increasing cost savings when compared against MPLS. There are many SD-WAN providers available, so it’s important to know what key features to look for in an SD-WAN solution. Here are six points to consider when choosing an SD-WAN provider: Beyond Basic SD-WAN Every SD-WAN connects locations by definition. When considering deployment options, think beyond branch offices and remember your network consists for other entities. Check that the SD-WAN can also connect cloud datacenters, cloud applications, and mobile users. Simple Deployment Deploying a new site with SD-WAN should be fast and simple. Zero-touch provisioning allows a site to be brought up without requiring a technical person on-site to configure the SD-WAN device.  It just needs to be connected and powered up, and downloads its configuration from a predefined server or location. Availability Migrating to SD-WAN shouldn’t mean compromising on availability. In fact with active/active configurations, SD-WAN can provide better uptime than MPLS. All too often, companies connect locations to an MPLS service with an individual line. As a result, they remain susceptible to line failures from cable cuts, router misconfigurations, and other physical plant problems. Active/active protects against such failures by using redundant active lines to connect locations to the SD-WAN. Should one line fail, traffic can be instantly diverted to the alternate connection. Performance Whether moving to a hybrid solution or moving completely to SD-WAN, performance is critical. Look for a provider that has its own SLA-backed backbone for consistent long-haul performance. This is particularly important for global networks where the Internet middle mile is often too inconsistent for enterprises. Additionally, overall performance will be degraded if the SD-WAN solution doesn’t effectively detect brownouts or blackouts. Any SD-WAN solution should also be capable of prioritizing real-time traffic over non-real-time traffic. Security Encryption and segmentation are basic, must-have security features for any SD-WAN. Some SD-WAN solutions also provide rudimentary firewalls. This still doesn’t protect against malware and other application-layer attacks.  To enhance network security, some providers offer security service insertion from a 3rd party vendor. However, a provider that can offer integrated cloud-based security services is preferred as it can be more easily managed by the network security administrator. Management Improved manageability as compared to MPLS is a key feature of SD-WAN. Look for a provider that offers centralized management capabilities with the ability to easily monitor the entire network. This eliminates the need for multiple tools or platforms for monitoring performance, availability, and security. In order to maintain the simplicity that SD-WAN can provide, don’t add features that aren’t  needed in your environment. There are many points and features to consider when choosing an SD-WAN vendor to fit your business needs.  The points covered here are key considerations when making the best choice for your organization’s successful move to SD-WAN. For more information , visit https://www.topsdwanvendors.com/ for a list of top SD-WAN vendors. Also take a look at  Cato Network’s blog for more information on various SD-WAN topics such as Global SD-WAN as a Service, and securing your SD WAN network.

Inside Cato’s Advanced Security Services

More and more IT managers are interested in converging SD-WAN with network security — and for good reason.  An agile, efficient, and ubiquitous security architecture... Read ›
Inside Cato’s Advanced Security Services More and more IT managers are interested in converging SD-WAN with network security — and for good reason.  An agile, efficient, and ubiquitous security architecture is essential if organizations are to fully transform their networks. But as we’ve noted before, traditional SD-WAN fails to adequately address the security dimension, relying on existing security appliances and solutions. The result: continued costs and complexity that limit the value of WAN transformation. Cato Cloud is different. It’s an SD-WAN built from the ground up with security in mind. Networking and security are fully converged, providing a more scalable, more efficient SD-WAN. Network Security Appliances Limit Traditional SD-WAN SD-WAN became popular by solving the challenges of adapting legacy wide area networks (WANs) to the modern enterprise. The MPLS architectures of most enterprise WANs adds far too much latency to  Internet- and cloud-destined traffic. Other problems, including extensive deployment times (as much as 90 days) and high bandwidth costs (think double or more their Internet equivalents), make MPLS incompatible with evolving enterprise requirements. And while traditional SD-WAN succeeded to a point, it ignored the network security requirements of branch offices. Companies must still to deploy external security appliances. As such, traditional SD-WAN fails to address significant areas of complexity within the network that continue to increase costs and limit today’s networks: Appliances still need to be bought, deployed, maintained, upgraded and retired. Appliance capacity has to be upgraded outside a budgetary cycle, or sit idle to avoid the hassle. Appliances need the support, care, and feeding of experienced staff or outsourced support.  Either way, software updates often lag because of their high risk and complexity. The result is reduced appliance effectiveness over time.   Security appliances protect their locations; additional security elements are needed to protect other offices, cloud resources, and mobile users. The resulting patchwork of security solutions not only strain IT budgets but also undermine network visibility and insight. Deploying separate security appliances at each office is unmanageable and expensive, but the alternative — centralizing Internet access and security appliances in regional hubs — dramatically increases costs and complexity of the SD-WAN. For many organizations, building regional hubs is often infeasible being far too expensive and challenging.  And regardless, regional hubs continue to incur all of the upgrade and scaling challenges of appliances. Cato Cloud: Converging Security and Networking into a Global SD-WAN Service Cato Cloud is very different. From the beginning, Cato Cloud was built with security in mind. Cato Cloud is a global and secure SD-WAN as a service, converging networking and security pillars into a single platform. Convergence enables Cato to collapse multiple security solutions such as a next-generation firewall, secure web gateway, anti-malware, and IPS into a cloud service that enforces a unified policy across all corporate locations, users and data.   Because Cato is delivered as a cloud service, customers are relieved from the burden of patching, upgrading, and updating. Customers also don't need to size or scale network security. All traffic passing to Cato’s licensed security services will be handled according to the customer-specific security policy while Cato is taking care of the underlying infrastructure. As part of the service, Cato employs a dedicated research team of security experts, Cato Research Labs, which continuously monitor, analyze and tune all the security engines, risk data feeds, and databases to optimize customer protection. Enterprises of all sizes are now able to leverage the security and threat detection expertise of Cato Research Labs and a hardened cloud platform to improve their security posture. To better understand Cato’s security architecture and the specific security services provided in Cato Cloud, read our in-depth overview here.

Arlington Orthopedics Switches to Cato Cloud Enabling Lean IT and Agility

With IT called to support more users and deliver more services without increasing budget, the IT team at Arlington Orthopedics P.A. faced the kind of... Read ›
Arlington Orthopedics Switches to Cato Cloud Enabling Lean IT and Agility With IT called to support more users and deliver more services without increasing budget, the IT team at Arlington Orthopedics P.A. faced the kind of pincer move all too familiar to IT professionals. Normally, such an objective would be mission impossible for a network built on MPLS and firewall appliances. The sheer complexity and cost of the infrastructure would make lean operation difficult. That's why the team turned to Cato. “It was obvious to me that I had to focus my resources,” says George McNeill, director of I.T. for Arlington, one of the largest orthopedic practices in North Texas. “I needed my infrastructure to be as lean as possible. This way we could invest in business analysts or other customer-facing roles and technologies not internal IT roles, such as networking and security specialists.” The company was looking to nearly double its regional network, growing from three Texas locations — a main office in Arlington and branches in Mansfield and Irving — to five locations, adding offices in Midlothian and Odessa. The existing locations had firewall appliances connected by 100 Mbits/s, layer-2, MPLS connections. Internet-bound traffic was backhauled to Arlington, which had a 100 Mbits/s Internet connection secured by another firewall appliance. All of which meant that the Arlington network was anything but lean. The company spent $10,000 per month for the 100 Mbits/s MPLS service and connections were still “choking out,” McNeill says. MPLS’s infamous deployment times also meant he needed a 90-day window for deploying new offices — far too long for the firm. The existing firewall appliances were also sucking up resources he didn’t have. “Firewalls are complicated by default, but they’re even more complicated when set up by someone else who’s no longer with the company and with his or her own ideology and thought,” he says. Troubleshooting the performance problem that was “choking” his network wasn’t easy. The company’s office and regional networks were flat, layer-two subnets. Firewall appliances at each location were connected by meshed, point-to-point, virtual private networks (VPNs). Servers located in Arlington were accessed by the branch locations. George knew that some locations had performance problems, but diagnosing them was very difficult. “We could see the traffic, but figuring out the source of the problem was impossible,” he says. And with IT resources spent keeping “the lights on,” other projects had to be pushed to the side. Disaster recovery (DR) was one such example. “I could have set up a DR site using a site-to-site VPN,” he says, “But then I would have to put a whole lot of work into the effort and still have a single point of failure.” George tried a carrier-managed SD-WAN service, but found himself back in the world of MPLS-like thinking. “The provider wanted me to buy without a trial. What person in his right mind would use a service without a trial?” he says. Instead he turned to Cato for help building a secure cloud-based SD-WAN as an affordable MPLS alternative. What happened next simply amazed him... Read the full story here.

SD-WAN vs. MPLS vs. Public Internet

For better or worse, businesses are becoming more globalized by the day. Business-critical traffic is increasingly routed between offices across borders, incurring packet loss and... Read ›
SD-WAN vs. MPLS vs. Public Internet For better or worse, businesses are becoming more globalized by the day. Business-critical traffic is increasingly routed between offices across borders, incurring packet loss and latency that are completely unacceptable. Network architectures that served us well for years no longer fit global business in 2017. To meet the needs of a global enterprise, our network architectures need to evolve as well. Which architectural approach will best serve your needs — MPLS, public internet or cloud networks? Our answer is, well, it depends. Business Needs vs Regulation Compliance and regulatory issues as well as business needs take center stage when making a decision. Regulation can limit your options, but at the same time your network is a strategic business asset, critical for optimizing the overall business performance. With the rise of SaaS, the cloud, and continuous migration of business-critical applications to mobile and globalized business environment, secure and reasonably priced connections become vital for maintaining international business operations. For a global company operating in distinct markets, a stable and optimized network becomes a mission-critical asset. The Pros and Cons of Public Internet Ordinary broadband Internet is inexpensive and widely available. The low-cost, easily adopted public Internet is an attractive option for reducing bandwidth costs, at least when compared to MPLS. On the downside, volatile latency, congestion, and the lack of end-to-end management can disrupt business-critical applications. Pros of Public Internet Cons of Public Internet - Costs - Quick setup - Unstable Performance - Low Levels of Latency The Pros and Cons of MPLS The major reason for using expensive MPLS services is dependability. Service level agreements (SLAs) guarantee latency, packet delivery, and availability.  Should there be an outage, the MPLS provider resolves the issue within a stated period of time or pays the requisite penalties. But there’s a cost for that kind of service. Despite price erosion, MPLS services remain significantly more expensive than Internet services. According to Telegeography, in Q4, 2016, median 10 Mbps DIA prices averaged 29 percent less than port prices for MPLS IP VPNs. Every company must assess the importance of guaranteed network performance and quality to a given application and location. When critical, there is a strong case for MPLS. However,  backhauling internet traffic through MPLS lines can result in degraded cloud performance for remote branches due to the “trombone effect” — when Internet traffic is pulled back to a centralized, Internet access point only to be sent back across the Internet to a destination near the sending user. When a portal is out-of-path or far away from the destination, latency increases and cloud performance is significantly degraded. Pros of MPLS networks - Low Latency - Low Packet Loss - Guaranteed Availability and Performance Cons of MPLS networks - Expensive - Long Setup Times: Weeks or Even Months - Degraded Cloud Performance SD-WAN: Getting the Best of Both Worlds Until recently, the only way to get predictable performance and reliable connectivity between distant corporate locations was by using expensive MPLS connections, even though inexpensive Internet services are widely available. SD-WAN is redefining the WAN by creating a network that dynamically selects the most efficient transport service from an array of public Internet connections and MPLS links. It has two main benefits: cost efficiency and agility. The SD-WAN aggregates several WAN connections into one software-defined network (SDN), using policies, application-aware routing, and dynamic link assessment, to select the optimum connection per application. Ultimately, the goal is to deliver just the right performance and uptime characteristics by taking advantage of the inexpensive public Internet. Cloud-based SD-WAN: A Step Forward Cloud-based SD-WAN offers advanced features, such as enhanced security, seamless cloud and support for mobile users, that result naturally from the use of cloud infrastructure. And by running over an SLA-based backbone, cloud-based SD-WAN delivers far more predictable latency and packet loss than the public Internet. As a result, cloud-based SD-WAN can replace MPLS, enabling organizations to release resources once tied to WAN investments and create new capabilities.Typical use case for new cloud-based SD-WAN deployment is a global enterprise with business processes tightly integrated into the cloud. Conclusion Every company is different, and there is no silver bullet when it comes to enterprise networking. However, for global enterprises looking for efficiency and flexibility, cloud-based SD-WAN solves many issues presented by traditional approaches to enterprise networking. To learn more about SD-WAN, subscribe to our blog. Read more about SD-WAN Pros and Cons Cloud MPLS - The business case for SD-WAN

Humphreys Replaces SD-WAN Appliances with Cato Cloud

When Humphreys & Partners Architects, an architectural services firm, needed to open an office in Uruguay, the Dallas-based firm faced a problem all too familiar... Read ›
Humphreys Replaces SD-WAN Appliances with Cato Cloud When Humphreys & Partners Architects, an architectural services firm, needed to open an office in Uruguay, the Dallas-based firm faced a problem all too familiar to MPLS buyers — the high cost and inflexibility of MPLS.   The company’s MPLS network already connected the Dallas headquarters with offices in New Orleans, Garland, Texas, and Toronto. Another office in Vietnam relied on file sharing and transfer to move data across the Internet to Dallas. The new office in Uruguay proved to be a challenge. Humphrey’s MPLS provider proposed an international connection at the same price as his existing Dallas connection with only a 30th (approximately) of the capacity. “It was a take-it-or-leave-it kind of deal — so we left it,” says Paul Burns, IT Director at Humphreys. Pricing might have been the tipping point for Burns, but it was hardly his only complaint with MPLS.  Connecting new locations took far too long, with circuit delivery requiring several months. “Ninety days doesn’t fly anymore when a site is just two or three people in a garage, and DSL can be delivered in a day or two,” Burns points out. What’s more, MPLS wasn’t agile enough to accommodate Humphreys’ growth. “Many of our offices start with a few people, but then they outgrow the space. Every time we moved, our carrier wanted a three-year contract and 90 days to get the circuit up and running.”   Even simple network changes, like adding static routes to a router, necessitated submitting change tickets to the MPLS provider. To make matters worse, the carrier team responsible for those changes was based in Europe. “Not only did the carrier require 24 hours, but often the process involved waking me in the middle of the night,” Burns says. MPLS inflexibility hurt more than the business; it hurt Burns’ reputation. “I once sat in an executive meeting and learned that we were moving an office,” he recalls. “I explained to the other executives (again) that the move would take at least 90 days. They just looked at me like I was crazy.” SD-WAN Appliances Prove To Be Too Complicated Burns needed a different approach and tried solving Humphreys’ networking problems with SD-WAN appliances. He connected SD-WAN appliances in the Uruguay location, and as well as a new Denver office, via the Internet. SD-WAN appliances in Dallas; Newport Beach, California; and Orlando were dual connected to the Internet and MPLS. The SD-WAN appliances could not address his Vietnam office and deployment  proved to be very complicated. “The configuration pages of the SD-WAN appliance were insane. I’ve never seen anything so complicated,” says Burns. “Even the sales engineer got confused and accidentally enabled traffic shaping, limiting our 200 Mbits/s Internet line to 20 Mbits/s.” Ultimately, Burns abandoned the SD-WAN appliance architecture. To learn more about his experience and how Cato Cloud revolutionized his WAN in surprising ways, read the complete case study here.

How to improve mobile access to AWS, Office 365, and the rest of the cloud

Not so long ago, an “android” meant “robot,” and our applications lived in physical datacenters. Mobile access, I mean “remote access,” was an afterthought. Those... Read ›
How to improve mobile access to AWS, Office 365, and the rest of the cloud Not so long ago, an “android” meant “robot,” and our applications lived in physical datacenters. Mobile access, I mean “remote access,” was an afterthought. Those users who would “telecommute” suffered with multiple identities — one for the road and one for the office. As mobility and the cloud have become the norm, thinking of them as afterthoughts no longer makes sense. A mobile-cloud first strategy is needed. And yet adopting such an approach can be difficult if not impossible for traditional mobile (remote) access architectures. To better understand why, we developed the “Mobile Access Optimization and Security for the Cloud Era” eBook. You can download it here. Today, far too many threats can be delivered into your enterprise through unprotected mobile devices. Management and compliance is also challenging without visibility into mobile traffic. Secure mobile access is critical, but only possible with user cooperation. Too often, though, mobile users find mobile VPNs sluggish, particularly when accessing the cloud. They end up reverting to direct Internet access, compromising security, visibility, and control . Performance isn’t the only issue.  Maintaining separate mobile and fixed identities makes life more complex for users (think, more help desk calls for password resets) and IT professionals (think, time spent configuring and maintaining separate access policies, for example). Think that’s all? Hardly. There are hosts of specific issues depending if mobile users access physical datacenters, cloud datacenters, or cloud applications. Which is why we’ve created this in-depth eBook. Some of the issues you’ll learn include: The performance and security challenges when accessing Office 365, AWS or the rest of the cloud. How to secure mobile access to the cloud and improve the mobile experience. Why converging SD-WAN, security, and mobility makes so much sense And much, much more. The detailed checklist walks through each secure mobile access approach in, well, detail. It’s a great resource that is sure to shorten and improve your mobile access evaluation process. Related articles: Cloud network automation Direct Internet Access Strategy

WAN Architecture Webinar: How Will You Transform Your WAN in 2018?

During our recent webinar, “The 2018 Guide to WAN Architecture and Design,” many of you participated in a spot survey and asked some excellent questions.... Read ›
WAN Architecture Webinar: How Will You Transform Your WAN in 2018? During our recent webinar, “The 2018 Guide to WAN Architecture and Design,” many of you participated in a spot survey and asked some excellent questions. We promised to share the results of that research and address as many questions as possible, so let’s get to it. For those who might have missed the webinar, we highlighted the networking challenges enterprises will face in 2018 and how best to address them. Dr. Jim Metzler, founder of Ashton, Metzler & Associates, presented findings from his recent research, and Ofir Agasi, Director of Product Marketing at Cato, shared case studies and strategies to address those challenges. You can watch the webinar and learn about Jim’s research here. What are the most important drivers for improving your WAN? We asked participants two poll questions during the webinar — one about the most important drivers for improving their WANs, and the other about the biggest networking challenges facing their existing WAN architectures. Overall, we found two drivers ranked highest (27% of responses) — “Prioritize business-critical application traffic” and “Reduce connectivity cost” (see Figure 1). Prioritizing business-critical traffic is, of course, important as entertainment and non-critical traffic are a reality of enterprise networks. With Cato Cloud, IT managers can not just prioritize business-critical traffic, but report on and manage all traffic types across their backbones. “We found that Netflix was being streamed across the network during company hours,” says George McNeill, director of I.T. for Arlington Orthopedics, one of the largest orthopedic practices in North Texas, “With our firewall, we would have only been able to block Netflix, and that was my knee-jerk reaction, but then whoever was watching Netflix would switch to another network.” “Cato allowed me to identify the user watching Netflix and on which device — his cell phone. This way I was able to send him an email to hold off on movie time during company time. And if he keeps doing it without permission? I’m going to turn off Netflix for just that phone during work hours,” he says. Which driver is the most important for improving your WAN? [caption id="attachment_4507" align="alignleft" width="840"] Figure 1[/caption] Reducing connectivity costs is typically a high priority for organizations considering SD-WAN. But once they deploy SD-WAN, our research (and others) show that agility becomes the major benefit. In part, that’s because traditional cost estimates for switching to SD-WAN appliances fail to consider the full range of services needed for an SD-WAN deployment. Securing branch offices is one major factor. Another factor is the Internet’s erraticness and, as such, the inability to leave a costly MPLS service. Cato addresses both by converging a complete suite of security services into the Cato network, an SLA-backed network that’s an affordable, MPLS alternative. The biggest networking challenges: site provisioning times and visibility As for the challenges facing current WAN architectures, the speed of site provisioning was ranked number one overall (29%) followed by the lack of visibility into network traffic (25%, see Figure 2). The long delays associated with deploying new MPLS locations is well documented. Installing a new MPLS circuit can take 90 days or more. SD-WAN addresses this problem by being able to use broadband circuits. Cato goes even a step further by integrating mobile users into the SD-WAN. IT managers are able to use our mobile client and 4G/LTE access to get users up and running in minutes. “Cato gave us freedom,” says Paul Burns, IT Director at Humphreys & Partners Architects, an architectural services firm based in Dallas. “Now we can use a socket, a VPN tunnel, or the mobile client, depending on location and user requirements.”   Burns was unable to connect remote offices with other SD-WAN solutions. “My biggest concern with connecting [our] Vietnam [office] to our previous SD-WAN, was shipping the appliance. There was the matter of clearing customs and installation. We’d be dealing with a communist country, and I wasn’t familiar with its culture. With Cato, users just download and run Cato’s mobile client.” What is the biggest networking challenge you deal with in your current WAN architecture? [caption id="attachment_4508" align="alignnone" width="840"] Figure 2[/caption] The lack of visibility has become a major problem for networking professionals. Today, most Internet traffic is encrypted, limiting the visibility of many traditional IT tools. Security and networking appliances often lack the resources to decrypt all SSL/TLS traffic at scale. This says nothing about the mobile traffic that traditionally bypasses the WAN/SD-WAN altogether. With Cato, IT managers gain visibility into all enterprise traffic regardless of origin or destination. Cato Cloud intercepts SSL/TLS traffic at scale. Decrypting and re-encrypting traffic has no impact on Cato Cloud performance. And since Cato Cloud treats mobile users (and cloud resources) on an equal footing with office users, networking teams gain a single poital with visibility into their mobile, cloud, and fixed traffic (see “A Single Pane of Glass”). A Single Pane-of-Glass [caption id="attachment_4491" align="alignnone" width="537"] Cato provides deep visibility into all enterprise traffic.[/caption] Questions and Answers During the webinar, many questions were asked about Cato Cloud. Here are the answers to some of them: Does the firewall service provide compromised website filtering? Say if a user tries to go to a website that has recently been compromised by a virus? Absolutely. Cato Security Services is a fully managed suite of enterprise-grade and agile network security capabilities directly built into the network. Cato Security Services are seamlessly and continuously updated by Cato’s dedicated networking and security experts. Does Cato offer service in Canada? Yes, Cato has two points of presence (PoPs) in Canada. Additional PoPs are strategically situated to be within 25ms of most areas within Canada and the rest of North America. We’re constantly expanding the network, which currently spans 39 PoPs around the globe, putting most major areas near the Cato network (see “The Cato Cloud Network’). Besides the SD-WAN, does Cato Cloud also do IPS, antivirus, SSL interception, opening ports, L7 protection (e.g. block dropbox), and forwarding traffic? Yes, an essential feature for Cato Cloud is the ability to act as your edge security solution. Current services include a next generation firewall/VPN, Secure Web Gateway, Advanced Threat Prevention (including Cato IPS), Cloud and Mobile Access Protection, and Network Forensics. How do you address real-time services, if MPLS services are replaced with Internet links? Cato Cloud is unlike traditional SD-WAN appliances that must rely on the Internet backbone. The Cato Cloud network is a global, geographically distributed, SLA-backed network of PoPs, interconnected by multiple tier-1 carriers. Jitter, latency, and packet loss are closely managed. The Internet is only used in the last mile to the customer premises. Numerous customers, such as Humphreys and Fisher & Company, run real-time services across the Cato backbone. The Cato Cloud Network [caption id="attachment_4481" align="alignnone" width="975"] Map of PoPs[/caption] Read more about WAN architecture and design

How One IT Manager Deployed Sites in Minutes and Cut Costs by 10%

It’s become almost cliche to talk about how SD-WAN improves IT “agility”, but not for one IT manager at a security software company that asked... Read ›
How One IT Manager Deployed Sites in Minutes and Cut Costs by 10% It’s become almost cliche to talk about how SD-WAN improves IT “agility”, but not for one IT manager at a security software company that asked to remain anonymous. He learned firsthand how much cloud-based SD-WAN services can improve IT agility — and turn you into an IT hero. The company wanted to expand their development team and open a branch office in Europe. The IT manager was given five-weeks to make that happen. Meeting that deadline wasn’t going to be easy when three weeks alone were needed to get a connection in place. The team began looking at alternative options. The Internet was the obvious choice. The company already had plenty of experience running IPsec virtual private networks (VPNs) across the Internet. The existing US and Asia-Pacific offices were already connected together by a mesh of IPsec tunnels between local firewall appliances. About 90 mobile users were configured with VPN clients to access those firewall appliances; There were 300 users in total accessing the company’s network.   Although a 200 Mbps/s Internet connection could be deployed quickly in the European office, performance was going to be a problem. Latency was far too long, and fluctuated too frequently. “The office required 100 percent uptime,” he says, “with the Internet, you can’t promise that. Your traffic still goes through several unknown ISPs. You can’t ensure that every hop is not a single point of failure.” Deployment was also a challenge with Internet VPNs. For every branch, the team needed to configure tunnels to every other location. It was an arduous process, establishing the tunnels to each site, designing specific firewall rules for each tunnel, and factoring in user issues, such as whether or not to allow remote access. “It was about 1.5 hours of work per tunnel per site. We could spend a few days just configuring the VPN for a new location,” he says. Read here how using an MPLS alternative and eliminating security appliances he was able to improve mobile workforce performance and reduce costs.

What’s Really the Best Approach for Replacing MPLS Connectivity?

It’s no secret that the legacy WAN faces many challenges adapting to today’s business, the big question is: What’s going to replace MPLS? SD-WAN appliances... Read ›
What’s Really the Best Approach for Replacing MPLS Connectivity? It’s no secret that the legacy WAN faces many challenges adapting to today’s business, the big question is: What’s going to replace MPLS? SD-WAN appliances are the obvious answer, but not necessarily the best one. Legacy WAN architectures based on MPLS services provide predictable performance between offices, but they’re not implemented in a way that easily accommodates the new realities facing IT. Users continue to require ever increasing amounts of bandwidth, an expensive resource for MPLS networks. Connecting to cloud datacenters and cloud applications either often becomes costly and difficult, or painfully slow with MPLS. Mobile users are still ignored by MPLS infrastructure. Many CIOs have embraced software-defined WANs (SD-WAN) appliances to solve their WAN problems. And while SD-WAN appliances move the WAN in the right direction, they focus more on fixing yesterday’s problems addressed by MPLS services, and not on meeting today’s IT challenges faced confronting businesses. Mobile users are still ignored. And companies continue to have to figure out how to secure the many Internet access points created by SD-WAN. They also need to find a way to deliver voice and other critical, real-time applications across the unpredictable Internet. A new approach fixes the problems of SD-WAN appliances without introducing the problems of MPLS or other carrier-managed services. To help, we put together a thorough analysis of MPLS and SD-WAN alternatives, identifying their strengths and weaknesses, and suggesting a way forward. You can download the complete eBook here.

Top 15 Enterprise Networking Experts To Follow

These guys are on the frontline of network architecture and working to educate the world about the changing landscape of enterprise network technology. The list... Read ›
Top 15 Enterprise Networking Experts To Follow These guys are on the frontline of network architecture and working to educate the world about the changing landscape of enterprise network technology. The list includes people from across the spectrum including analysts, researchers, independent consultants and IT pros. Andrew Lerner (Gartner) (@fast_lerner) Andrew is a Gartner guru specializing in enterprise networking. He focuses his keen analyst eye on emerging areas of WAN and has recently written about the complexities of network segmentation and how to pick the right technology and approach. Andrew also specializes in the challenges of Open Networking. Steve Garson (@WANExperts) Steve is an internationally recognized expert in SD-WAN. He works as a consultant for global organizations through his company SD-WAN Experts. As well as looking at the technology offerings within the space, he also looks at the evolution of the industry and the business side of the technology landscape. He runs an IDG contributor blog which focuses on cutting edge thinking in the SD-WAN space. Garson is not afraid to speak out about core issues in the industry, and in a post correcting a Gartner report into security and SD-WAN he stated that: “It would be too easy to say that there’s one right approach to SD-WAN security. Each architecture has its strengths and weaknesses. The key is aligning those strengths to your needs.” Ben Hendrick (IBM Security and NTSC board member) LinkedIn Profile Ben Hendrick is a global executive at IBM security and represents IBM on the National Technology Security Coalition (NTSC). Ben focuses on infrastructure and endpoint security with his team at IBM. As part of his role in NTSC, Ben took part in a CISO invite only conference recently. The NTSC has a major influence on regulations and policy and Ben will be able to add his experience in SD-WAN to the debate. An interview with Ben Hendrick can be watched here. John Burke LinkedIn Profile John Burke is a principal analyst with Nemertes Research with expertise in Cloud architecture, storage visualization, and WAN optimization. As an analyst in these areas he carries out research into solutions and advises enterprises on best practice use models. John gave a recent Brighttalk webinar on “Building the SD-WAN business case” which is worth watching. He stated in a recent article “Expect to see MPLS remain a significant force in the WAN for many years to come" Andre Kindness (@AndreKindness) Andre Kindness is a principal analyst at Forrester. He specializes in enterprise network operations and architecture. His industry focus is in retail and hospitality. Andre recently tweeted that: “1st law of security: There isn't enough money for security until after a breach.” later adding that: “I think we have enough data points to move it from theory to law.” An interesting recent webinar showcasing Andre’s expertise in retail networking and customer experience can be seen here. Nolan Greene (@ngreeneIDC) Nolan is a senior research analyst at IDC. He specializes in network infrastructure for enterprise clients and understands the complexities of go-to-market best practice and delivery. HIs focus is all about the trends in the enterprise as related to customer behavior. Nolan also shines a light on IOT and LP-WAN. Nolan will be speaking at the IT Roadmap Conference And Expo Dallas on the 15th November. Ivan Pepelnjak (@ioshints) Ivan Pepelnjak is a prolific writer and advocate in the area of enterprise networks, network function virtualization, and data centers. His experience in network architecture goes back to the early 80s. Ivan will be running a series of online training sessions in 2018 about next generation data centers and network automation. Stay in touch with Ivan’s views and teachings via his blog here. Mark Bayne LinkedIn Profile Mark is Director of Sales Engineering at CATO Networks. Mark comes from a background of network security appliances and now focuses this experience on creating secure enterprise networks via CATO Networks. Mark recently gave a talk at IP EXPO Nordic 2017 about using a Firewall as a Service approach to network security. “Firewall as a Service (FWaaS) is a new type of a next generation firewall. It does not merely hide physical firewall appliances behind a “cloud duct tape”, but truly eliminates the appliance form factor, making firewall services available everywhere.” Robin Harris (@StorageMojo) Robin is an independent analyst and consultant for TechnoQWAN LLC in the area of emerging technologies including in the network architecture space. He recently posted on the “Limits of disaggregation” where he looks at how  “Composable Infrastructure is hoping to split the difference, with the power to define aggregations in software, rather than hardware.” Robin also writes regularly for ZDNet. Packet Pushers (@packetpushers) Packet Pushers is an industry podcast about data networking run by network architects. The weekly shows are packed with everything including general views and comments on the industry to specific technology insights and reviews. Check out this podcast on “The Future of Networking” by Brian Godfrey. Greg Ferro (@etherealmind) Greg is one of the founders of the Packet Pushers podcast. He has vast experience in the field of data networking and network architecture. Greg currently works as a freelance architect as well as writing for Ethereal Mind. Famous for being outspoken Greg tweeted recently, “9 out of 10 network engineers think the tenth network engineers is an idiot. 9 out of 10 also think ITIL is a dumbest thing ever.” Chris Mellor (@Chris_Mellor) Chris is a storage guy who writes a regular column for The Register. Chris picked up his storage and networking experience at companies like Unisys and DEC. At The Register, Chris gives informed commentaries on a variety of networking technologies and company solutions. In a recent tweet he stated: “Hyperloop is a fantastic idea but I figure pushing the better safety angle is kind of dumb” Paul Mah (@paulmah) Paul Mah is a freelance technology writer covering network storage and architecture at Techblogger.io as well as contributing to Computerworld. Paul hosted a recent interview with Jonathan Rault of Amazon around AWS and Cloud security on how to create a more secure Cloud environment. Lee Badman @wirednot Lee’s blog Wirednot is laser focused on wireless networks. He writes regularly on the latest developments in the world of WLAN and covers interesting topics on all things WiFi. A regular contributor to Network Computing, his blog is a go-to resource on wireless network administration and wireless security. Lee Doyle @leedoyle_dc LinkedIn Profile Lee is the Principal Analyst at Doyle Research, and has published extensively on software-defined networking in major industry publications. In a recent publication in Network World, SD-Branch: What it is and Why You'll Need it, Lee discusses how the SD-WAN model of network virtualization is being copied by branch offices by deploying a single platform “that supports SD-WAN, routing, integrated security and LAN/Wi-Fi functions that can all be managed centrally.” Read about IoT Security Best Practices

2018: Is Your WAN Ready?

It’s no secret. Regular readers of this blog know all too well what enterprises of all sizes are recognizing: the inefficiencies of legacy Wide Area... Read ›
2018: Is Your WAN Ready? It’s no secret. Regular readers of this blog know all too well what enterprises of all sizes are recognizing: the inefficiencies of legacy Wide Area Networks (WANs) making it difficult for many IT leaders to meet the needs of today’s business.   Globalization, the move to cloud datacenter and applications, the increases in velocity of security threats — all demand that IT move faster and do more. Mobile users require security everywhere. Real-time applications, such as video and voice, continue to grow.  But legacy, carrier WAN services remain costly, taking too long to deploy, and poorly aligned with today’s Internet-first, traffic patterns.    And, of course,  doing more means doing more with the same or fewer resources. It’s not enough to simply “go to the cloud” and adopt “cheap Internet.” IT leaders need to reduce costs, but they also need to maintain and improve security and availability. How can you best prepare your organization for 2018? Find out as Jim Metzler founder of Ashton, Metzler & Associates will discuss his recent research, “The 2018 Guide to WAN Architecture and Design: Key Considerations when Choosing new WAN and Branch Office Solutions.” He’ll be joined by Ofir Agasi, Director of Product Marketing at Cato, who’ll discuss customer case studies and demo how Cato’s advanced SD-WAN features address some of the toughest challenges in building today’s network. Join the webinar and learn: The key WAN challenges facing IT managers and network professionals in 2018 Best practices and key considerations when evaluating existing and emerging technologies How to implement an SD-WAN even when still under contract with your MPLS provider. How  Cato enables you to rethink IT, improving IT service delivery and reducing costs. You can learn more and register for the webinar here.

The 2018 WAN Survey: Helping Us, Help You

What will 2018 bring for networking? Help us find out and participate in our recently launched “2018 State of the WAN” survey. You can see... Read ›
The 2018 WAN Survey: Helping Us, Help You What will 2018 bring for networking? Help us find out and participate in our recently launched “2018 State of the WAN” survey. You can see the survey here. The survey seeks to understand the state of the today’s business networks. We look at general networking and security trends impacting business. We dig into the drivers and adoption of SD-WAN, the cloud, mobility and more. And we uncover what IT managers really want from their SD-WAN suppliers. Some of the questions we’ll explore include: Will MPLS adoption continue to grow? What will impact will SD-WAN have on network security? Is NFV more than just hype? What are the most important factors when deploying SD-WAN? By gathering information from folks like yourself, we’re able to help everyone understand the bigger picture of our industry. Last year, for example, we were able to predict the continued adoption of MPLS despite the emergence of SD-WAN. It was a widely covered insight that while obvious today, perhaps, back then rocked the industry. Many IT pros finally had a realistic barometer for their own networking plans and investment. For more information and to participate, see the survey here.

How to Choose the Most Suitable Network Technology for Your Company

Twentieth century biochemist and science fiction writer Isaac Asimov claims, “No sensible decision can be made any longer without taking into account not only the... Read ›
How to Choose the Most Suitable Network Technology for Your Company Twentieth century biochemist and science fiction writer Isaac Asimov claims, “No sensible decision can be made any longer without taking into account not only the world as it is, but the world as it will be.” And perhaps nowhere in his statement holds more true than in the world of network technologies. The idea of future-proofing is key when choosing an enterprise network solution – anticipating current and future technological trends, i.e., exploring the many factors that need to be considered both within the context of current challenges, and with the knowledge that the technologies are rapidly shifting. Here are some of the key factors to consider in making what is, for every enterprise, a crucial technology choice. Understanding Your Company’s Needs In the complex world of network technologies, how can you maximize the value of your buy? Here are the main business factors to consider: Does your business have regional or global requirements? For distributed enterprises, a network technology solution must support connections to all of the locations, data centers, and cloud partners – anywhere in the world. For businesses that have hundreds or even thousands of locations, limiting expenses for support and maintenance is a key issue in streamlining operations. This is one of the reasons that, according to Gartner analyst Joe Skorupa, by 2020, more than half of WAN edge infrastructure refreshes will be based on SD-WAN versus traditional routers. In fact, according to IDC, SD-WAN is entering a period of rapid adoption. Business critical applications Important question to ask: where are your business critical applications located -- in an in-house data center or in the cloud? Depending on the answer, the bandwidth, speed, latency and performance requirements will differ. In recent years, we see cloud migration on a large scale. As  Frost & Sullivan points out that as IT organizations shift toward a greater focus on strategy – commonly becoming an organization’s chief enabler of business goals – it is increasingly important that inflexible infrastructure investments within corporate data centers be replaced by solutions in the agile cloud. As a result, networks need to adapt to the new requirements of the increased use of cloud applications. Mobile users Some network setups do not visibility or control for mobile access to cloud applications. In these kinds of setups, mobile users are either connected directly, bypassing corporate network security policies, or they are forced through a specific network location, which affects performance.Given how widespread mobile adoption is, and its continued and rapid growth, enterprises should consider solutions that offer every mobile user secure and optimized access. Network-specific Security risks: You  need to pay close attention to industry specific threats – by detecting and preventing intrusion, monitoring the network on an ongoing basis and proactively identifying vulnerabilities. As pointed out in this post by Cradlepoint, distributed enterprises must be especially vigilant regarding the constant dangers specifically at the Network’s Edge, which is particularly vulnerable since it is the gateway into the corporate WAN. Regulations and compliance: Many enterprises, for example, in healthcare and financial sectors, must comply with specific industry regulations. If this applies to you, keep in mind that network technologies can be set up to provide compliance reporting, to prove to governing bodies that the business data that flows over the network meets the necessary regulations. Existing Technology: It is quite likely that you will not be starting from a blank infrastructure canvas so no amount of prep and homework will be too little. A new solution will require be integration with some of your existing and legacy systems. You need a comprehensive replacement plan to introduce new technology with minimal pain, aggravation and cost. Why global enterprises are switching to SD-WAN With all of these significant business parameters to consider, finding a single solution that meets the multi-faceted networking needs of a global enterprise is a challenge. And here is where SD-WAN steps in. Software-defined wide area network is a new way to manage and optimize enterprise networks. Created to overcome the high bandwidth costs and the rigidity of MPLS services, SD-WAN incorporates Internet transports (such as Cable, DSL, Fiber and 4G) into the WAN and forms a virtual overlay across all transports. SD-WAN set up helps you stay on budget – by reducing costs, eliminating appliances, and streamlining operations – connecting cloud servers and mobile users while offering advanced and comprehensive security.

Why Cloud Networking Is The Future Of Global Connectivity

Today’s businesses have vastly different internet connectivity requirements than those from even just a few years ago. In global markets, finding a way to achieve... Read ›
Why Cloud Networking Is The Future Of Global Connectivity Today’s businesses have vastly different internet connectivity requirements than those from even just a few years ago. In global markets, finding a way to achieve a safe, reliable network connection has become critical for any business looking to stay relevant, competitive, and secure. But current options leave much to be desired. MPLS networks: pros and cons MPLS is the defacto choice for most enterprises, and for a good reason. MPLS offers guaranteed availability and optimized application performance, as well as high levels of latency and stability. MPLS connections also offer high uptimes - around 99.99%, an extremely important consideration when it comes to business applications. This is invaluable, assuming you’re willing to pay the high price for the bandwidth that these types of apps consume - MPLS is extremely expensive. If your company runs a host of mission-critical, real-time apps (like video conferencing, VoIP) where packet loss, latency, and jitter are an issue, MPLS might be a viable option. Out-of-control network expenses become an issue when bandwidth-hogging content results in a high costs that is budget-prohibitive for many businesses. Slow Setup and Implementation Another major concern of MPLS is the length of time it takes to get systems up-and-running. A typical MPLS network install can take months to order, install, and implement. This results in costly delays that thwart company expansion and stifle productivity in high-growth operations. In the world where agility is a competitive advantage, slow deployments that drag on for months become unacceptable. Do you identify with these MPLS Concerns for Business? Uncontrolled Costs Slow Implementation SD-WAN - Agility is the driving force SD-WAN can augment MPLS connections with public Internet, allowing enterprises to lower WAN costs significantly. By utilizing the power of SD-WAN, businesses can improve agility and bring down costs. As businesses increasingly embrace the cloud and need to compete more effectively in the dynamic markets, the demand for network agility, including reduced deployment and configuration times, drives SD-WAN adoption. SD-WAN can solve many problems when it comes to connectivity, but not all SD-WAN solutions are created equal. The arrival of cloud-enabled SD-WAN has dramatically changed the playing field. Benefits of cloud-enabled SD-WAN include: Cloud/virtual gateways improve the reliability and performance of cloud apps. Multi-circuit/ISP load-balancing. Improved performance of all WAN apps. Real-time traffic shaping. Improved disaster response with a reliable connectivity backup. Nearest-network point of presence (POP) connection to the network provider’s private fiber-optic backbone. The private backbone guarantees low levels of latency, jitter, and packet loss along with improved performance of all network traffic, especially for real-time apps that were traditionally best run on MPLS networks. Backbones are directly connected with major cloud application providers like AWS and Office 365, which dramatically improves reliability and usability. In addition to improving network connectivity and performance, cloud-enabled SD-WAN can help organizations reduce or eliminate MPLS appliance sprawl, control skyrocketing bandwidth costs, and benefit from all the security, reliability, and scalability that the cloud has to offer. “. . . some Cloud-enabled SD-WAN providers have direct connections to the major cloud service providers. This means once your traffic hits your SD-WAN provider’s nearest cloud gateway, you connect directly to your cloud provider (as opposed to having to continue traversing the public Internet to reach them). This means less latency, packet loss and jitter… which equates to a better user experience with your company’s cloud applications.” IDG/Network World Contributor Mike Smith. Even companies running real-time apps which are typically vulnerable to the jitter, packet loss, and latency that comes with doing business over the public internet will benefit from cloud-enabled SD-WAN. To learn more, feel free to contact us below. Related posts: SD-WAN pros and cons Cloud Network Automation

Firewall Bursting: A New Approach to Scaling Firewalls

The growing amount of encrypted traffic coupled with the security appliances’ limited processing power is forcing enterprises to reevaluate their branch firewalls. The appliances simply... Read ›
Firewall Bursting: A New Approach to Scaling Firewalls The growing amount of encrypted traffic coupled with the security appliances’ limited processing power is forcing enterprises to reevaluate their branch firewalls. The appliances simply lack the capacity to execute the wide range of security functions, such as next-generation firewall (NGFW) and IPS, needed to protect the branch. Organizations face a range of architectural choices: Wholesale appliance upgrades — Companies can replace their branch office appliances with new ones. It’s an easy approach, but an expensive one. Regional security hubs — Rather than upgrading all appliances, organizations can keep existing appliances,  but instead send all traffic through a larger firewall situated in a regional hub. Fewer appliances need to be upgraded and maintained, but hubs need to  be built out. Firewall bursting — Instead of building out a regional hub, firewall bursting leverages the cloud. As branch office appliances reach their limits,  traffic gets sent or “bursted” up to a security service in the cloud. With SWGs, firewalls can burst up Internet traffic, but not WAN traffic. With Firewall as a Service (FWaaS), WAN and Internet traffic can sent to the cloud for inspection. To help navigate those choices, we’ve put together an analysis in the below table. The table compares the approaches across eight dimensions: Traffic coverage — The type of traffic that can be inspected, WAN or Internet traffic. Deployment — The complexity of adopting the architecture Network architecture — The challenge of adapting the network to the approach. Advanced security — The strength of the security provided by the architecture Future proofing — The architecture’s ability to accommodate business and traffic growth. Upgrades — The degree to which the company must invest in upgrading their appliances to accommodate the new architecture. Branch firewall elimination — The degree to which the company can eliminate firewall appliances from their branch offices. For more information about firewall as a service contact us below

AWS, Azure, or Google Cloud Platform? How Scenario Analysis Simplifies Choosing the Right Cloud Provider

With revenues projected to reach $246.8b in 2017 (up 18% on the year before), the public cloud is big business. The biggest IaaS providers, Amazon... Read ›
AWS, Azure, or Google Cloud Platform? How Scenario Analysis Simplifies Choosing the Right Cloud Provider With revenues projected to reach $246.8b in 2017 (up 18% on the year before), the public cloud is big business. The biggest IaaS providers, Amazon Web Services, Microsoft Azure, Google Cloud Platform, all offering deals to attract customers. But figuring out which service is right for you isn’t going to be simple. Cloud services have a huge range of options. One provider offers more database services, another more security tools, and still another, a wider range of storage options. How do you make an ‘apples with apples’ comparison between them? You don’t. In helping customer connect their cloud datacenters to Cato Cloud and in our own efforts to select a cloud platform for Cato, we’ve spent a fair amount of time sorting between cloud options. Rather than focussing on features and options, our team hit on the idea of conducting a scenario analysis.   Learn more about scenario analysis and how you can use it to pick your cloud provider in our new e-book “AWS vs. Azure vs. Google: 10 Ways to Choose The Right Cloud Datacenter For You.” This eBook will: Explain what is scenario analysis and why it matters. Three scenarios you might consider when selecting a cloud provider A detailed 10-point comparison guide contrasting all leading providers Click here to download this must-have eBook.

The Mobile Access Revolution: Visibility and Performance Remain a Challenge

If mobile VPN seems a persistent pain in the-you-know-where, you’re not alone. At our recent webinar “Mobile Access Revolution: The End of Slow VPN and... Read ›
The Mobile Access Revolution: Visibility and Performance Remain a Challenge If mobile VPN seems a persistent pain in the-you-know-where, you’re not alone. At our recent webinar “Mobile Access Revolution: The End of Slow VPN and Users’ Complaints,” Adrian Dunne, global IT director at AdRoll, a leading ad tech company, and Ofir Agasi, our director of product marketing, analyzed the challenges posed by mobile users and how IT managers can address them. Dunne bring extensive experience managing mobile users. The company has about 350 offsite contractors that Dunne’s team manages. He evaluated a range of solutions and eventually settled on Cato Cloud to connect his mobile users and 500 employees to AdRoll’s three datacenters running in Amazon AWS. (See this case study to learn more about the AdRoll implementation.) During the webinar, we asked participants about their mobile VPN challenges. More than half of respondents indicated “lack of visibility and control“ as their biggest challenge. The problem will only grow as companies shift their datacenters and applications to the cloud. The WAN Ignore Mobile Users While companies are transforming their WANs in part due to cloud adoption, mobile users typically benefit little from that investment. That’s because SD-WAN appliances were designed to replace routers, WAN  optimizers and the rest of the networking stack needed for site-to-site connectivity — not mobile connectivity. With SD-WAN appliances, mobile users are still left establishing VPNs back to on-premises firewalls (or concentrators). From there, they can exit through a local Internet access point or traverse the WAN to a central, secured Internet access point. Either approach impacts performance, rendering traditional VPN architectures a poor choice for accessing cloud datacenters and applications. Allowing mobile users direct access to the cloud, though, still doesn’t entirely solve the performance problem. Users remain subject to the erratic routing and high latency of the public Internet. More than a third of respondents indicated performance to be a problem when accessing cloud applications, cloud datacenters, or applications running in their physical datacenters. Cato Cloud is a fundamentally different kind of SD-WAN that avoids these issues. It’s a cloud networking architecture connecting all resources — physical, cloud, and mobile — to a single, virtual enterprise WAN. Result: a deep convergence of multiple capabilities, including WAN optimization, network security, cloud access control, and remote access to the network itself. Mobile user performance and  IT visibility and control improve significantly. For more details, watch the webinar here.

The business case for SD-WAN: Because MPLS is Not Fit for the Cloud

If there is one thing crucial to remain competitive in today’s global marketplace, its connectivity. As critical business applications are moving to the cloud and... Read ›
The business case for SD-WAN: Because MPLS is Not Fit for the Cloud If there is one thing crucial to remain competitive in today’s global marketplace, its connectivity. As critical business applications are moving to the cloud and with the wide adoption of SaaS and mobile applications in the workplace, connectivity becomes a crucial business asset with the direct effect on the bottom line. The pressure is on the IT departments to ensure fast, reliable, and secure connectivity across the globe. That means making sure the wide area network (WAN) that connects branch offices, data centers, cloud services and SaaS applications can handle the connectivity needs of digitally empowered global organizations. Multiprotocol label switching protocol (MPLS) based networks, can no longer answer the business needs of a global enterprise. Software-defined Wide Area Networks (SD-WAN) can get the job done. Here is why. Cloud Requires a New Approach To Enterprise Networking Cloud computing is among the most disruptive of recent technologies, removing the traditional boundaries of IT, creating new markets, spurring the mobility trend, enabling advances in unified communications and much more. Rather than building, upgrading and maintaining capex-based systems and applications in on-premises data centers, organizations are increasingly employing cloud delivery models such as infrastructure-as-a-service (IaaS) and software-as-a-service (SaaS) to take advantage of new opportunities. Even those that must maintain on-site data centers because of legacy systems, regulatory compliance or other factors are opting for hybrid IT strategies that include cloud technologies. The problem is that as companies adopt cloud-based services, deploy more bandwidth-intensive applications, and connect an increasing number of devices and remote locations, business requirements change and new technical challenges arise. Particularly with SaaS, many business critical applications are no longer hosted in on-site data centers. Instead, remote locations generate an increasing amount of traffic bypasses the data center and goes directly to the Internet. Most legacy architectures cannot handle the new network traffic patterns. With network traffic traversing through multiple hops in the network, poor performance ensues. In addition to cloud technologies, many companies are increasing their use of network-based, often cloud-powered unified communications and voice over IP (VoIP). As VoIP traffic is more sensitive than conventional web text data traffic to network traffic transmission quality, better management is required for network traffic latency, packet loss, jitter and quality of service (QoS). Any disruption in packet delivery will cause lower voice quality. Until recently, enterprises had two choices to handling cloud and VoIP traffic —- a fast and secure but extremely expensive and slow to provision MPLS or use of the public Internet, with accompanying security and performance challenges. The Disadvantages of MPLS MPLS has long been the go-to solution for connecting distant locations across the globe. MPLS connections are secure, as they are private networks that never touch the public Internet. They enable traffic prioritization using the class of service (CoS) feature, providing a high level of reliability and performance. Unfortunately, MPLS are extremely costly and entail lengthy provisioning times - modern enterprises cannot afford to wait for months to connect remote offices to their networks. Because it is carrier-dependent, MPLS can take months for connection and configuration work to be completed.  It also uses dedicated proprietary hardware, lengthening the circuit provisioning times and complicating configuration and management of connectivity across multiple sites. MPLS circuits are extremely expensive, with a router required at each site, access circuits, bandwidth cost, and the associated CoS fee. Not surprisingly, management costs increase disproportionately with the number of branches and services supported. Plus, the inability to adapt the network to the application can cause companies to increase costs by over-provisioning the capacity.    The Downsides to Internet and Hybrid Options Internet broadband-based connectivity is less expensive than MPLS, and often can augment or replace traditional MPLS-based networks. However, it comes with performance limitations and other challenges. Managing hybrid WAN topologies, which combine MPLS and the Internet, with legacy approaches to branch networking is often costly and ineffective as well. Even small configuration changes are difficult and can compromise a distributed network availability, performance and security. There is also a lack of visibility into network behavior and application performance. Direct Internet access at multiple remote sites can bypass data center security services, weakening an organization’s information security posture. End-to-end visibility is compromised by encrypted apps and vendor opacity. And, the lack of SLAs for broadband Internet and limited MPLS capacity results in unpredictable performance slowdowns. The SD-WAN - An Appropriate Solution For Modern Enterprise Unlike the alternatives, SD-WAN networks can readily meet the needs of businesses leveraging the latest technologies and offers both OpEx and CapEx savings. Gartner, the technology research and advisory company, refers to it as “…a new and transformational way to architect, deploy and operate corporate WANs, as it provides a dramatically simplified way of deploying and managing remote branch office connectivity in a cost-effective manner.” Likewise, IDC, the market intelligence firm, notes that SD-WAN “…offers compelling value for its ability to defray MPLS costs, simplify and automate WAN operations, improve application traffic management, and dynamically deliver on the cost and efficiency benefits associated with intelligent path selection.” One of the biggest benefits of SD-WAN is that it offers centralized, software-based control and policy management that shifts network administrators’ focus from network to application management. Instead of managing thousands of manually configured routers, they can use virtual network design, zero-touch provisioning and business-aligned policy-based orchestration to centralize management. There is Much More If you need more reasons to consider SD-WAN over MPLS or other options, consider that SD-WAN offers: The ability to connect locations with multiple data services running in active/active configurations. Sub-second network failover allows sessions to move to new transports in the event of downtime without disrupting upper application. Encrypted connectivity that secures traffic in transit across any transport. The capability to immediately scale bandwidth up or down, so you can ensure that critical applications receive the bandwidth they need when they need it. Bring up a new office in minutes, instead of weeks and months that it takes with MPLS. SD-WAN nodes configure themselves and can use 4G/LTE for instant deployment. There are too many good things about SD-WAN to cover in a single blog. To learn more on the subject, subscribe to the Cato blog. Read about SD-WAN vs MPLS

Mobile Access: How to End Slow Mobile VPNs

User complaints about slow VPN access have been with us forever. Mobile users struggle to gain global access to business applications using legacy mobile VPN... Read ›
Mobile Access: How to End Slow Mobile VPNs User complaints about slow VPN access have been with us forever. Mobile users struggle to gain global access to business applications using legacy mobile VPN clients. They rely on the slow public internet, with its convoluted global routing and high packet loss. Traditional VPN architectures are also incompatible with cloud datacenters in services, such as Amazon AWS and Microsoft Azure, and cloud applications, such as Office 365. The need to force all traffic through a physical chokepoint, a datacenter firewall, impacts performance and the user experience. Alternatively, directly connecting to the cloud bypasses corporate network security, leading to no visibility and control. Join us on November 15, 2017, or November 16, 2017, during our next webinar for a master class as Adrian Dunne, the global director at AdRoll explains how to avoid the pitfalls and challenges that lead to slow VPN access. Dunne revolutionized the way AdRoll, a leading AdTech company, delivered cloud resources to its  global mobile workforce of employees and contractors.  He developed an architecture that improved remote application performance and increased his visibility and control. He’ll be joined by Ofir Agasi, director of product marketing at Cato Networks, who spent more than a decade analyzing, developing, and delivering secure mobile access solutions. Together they’ll dig deep into AdRoll’s secure mobile access implementation and explain: The impact of workforce globalization and cloud migration on legacy VPN architectures How Adroll addressed these challenges to optimize the access of its global workforce to multiple, multi-region AWS VPCs How Cato’ Cloud, Cato’s secure, cloud-based SD-WAN, helps improve visibility, control and remote access to physical and cloud datacenters from anywhere in the world. To learn more and register for the webinar sign up here. Read about SD-WAN vs VPN

How a Retailer Built an SD-WAN Across 100+ Stores: A Customer Case Study

Like many retailers, Pet Lovers needed an effective way to secure its stores and franchises. The spread of massive ransomware outbreaks, such as NotPetya, made... Read ›
How a Retailer Built an SD-WAN Across 100+ Stores: A Customer Case Study Like many retailers, Pet Lovers needed an effective way to secure its stores and franchises. The spread of massive ransomware outbreaks, such as NotPetya, made firewalling particularly important. Pet Lovers had already connected and secured traffic between stores with an Internet-based, virtual private network (VPN). Routers at every store directed point-of-sale (POS) traffic across the IPsec VPN to firewalls in the company's Singapore datacenter housing its POS servers. But other than the datacenter and four stores, none of the locations had firewalls to protect them against malware and other attacks. Protection was particularly important as employees accessed the Internet directly. Adding firewall or unified threat management (UTM) appliances at each site would have been cost prohibitive and taken far too long to deploy. For those sites equipped with firewall appliances, managing them was "tedious and slow," says David Whye Tye Ng, the CEO & Executive Director at Pet Lovers. All security policy changes had to be implemented by the local service provider running the firewalls. SD-WAN for Retail He considered connecting the sites via an MPLS service. But following a “meticulous” assessment of the costs and offerings of the managed service, he says that neither MPLS nor deploying security appliances could meet his needs for low-cost, rapid deployment, and ongoing management. “We did not want to be held hostage to the costs of MPLS and wanted a security solution that would be scalable and simple,” he says. Download the complete case study here and learn more about how Ng used Cato Cloud and it’s built-in Firewall as a Service (FWaaS) to revolutionize his network.

4 Ways to Secure Your Cloud Datacenter

If your company is like most, it’s probably at least considering connecting a cloud datacenter to the WAN.  Research  shows that as of the end... Read ›
4 Ways to Secure Your Cloud Datacenter If your company is like most, it’s probably at least considering connecting a cloud datacenter to the WAN.  Research  shows that as of the end of last year, 90% of surveyed companies were using cloud services with 57% claiming hybrid cloud deployments.   But before you can unleash the power of Amazon AWS, Microsoft Azure, or any other Infrastructure as a Service (IaaS) offering, you need to get to the cloud, and that’s a lot harder than it sounds. Continuing to backhaul Internet and cloud traffic adds too much latency and consumes costly MPLS bandwidth. Besides, you’re still left with finding a way to connect mobile users to the cloud without compromising visibility, security, and performance.  So what’s the right approach? For help answering that question, check out this new eBook, “4 Ways to Connect & Secure Your Cloud Datacenter.” It’s a compilation of insights and tricks we’ve gathered from serving enterprises around the globe, and here at Cato. Read the eBook and you’ll learn: The four networking architectures for securely connecting clouds to your WAN. The pros and cons of those architectures. The networking secrets as to why cloud applications often underperform Practical tips on how to fix those performance problems. You can read the eBook here.

How Alewijnse used SD-WAN Connectivity as an MPLS Alternative: A In-depth Profile

As the company grew, Alewijnse found MPLS connectivity to be increasingly unable meet its business requirements. The Dutch engineering company had built a global wide... Read ›
How Alewijnse used SD-WAN Connectivity as an MPLS Alternative: A In-depth Profile As the company grew, Alewijnse found MPLS connectivity to be increasingly unable meet its business requirements. The Dutch engineering company had built a global wide area network (WAN) out of MPLS and Internet services connecting 17 locations — 14 in Europe and 3 in the Asia Pacific — with about 800 mobile and field employees. Internet access was centralized in the datacenter for its Dutch sites; the Romanian office had its own firewall and Internet breakout. Three Asia Pacific locations established virtual private network (VPN) tunnels across direct Internet access (DIA) connections to the Amsterdam datacenter. Users increasingly complained about their Internet performance. Cloud applications were starved for bandwidth as they were backhauled across a 10 Mbits/s connection to the datacenter. At the same time, carrying Internet-based traffic across MPLS was increasing their MPLS spend each month, consuming nearly 50% of the MPLS bandwidth to the datacenter. MPLS was also limiting IT agility. The business needed to quickly establish project teams at customer sites all over the world, a need MPLS often couldn’t meet. “With MPLS, I often had to wait three months to get a connection, if the technology was even available in that region,” says Willem-Jan Herckenrath, manager of ICT at Alewijnse. And MPLS did nothing for his security architecture. The firewall appliances that secured his branch offices required substantial operational costs involving deployment, management, and upgrades. Mobile security was an issue and another area ignored by MLPS. Herckenrath and his team considered bundling SD-WAN solutions with a secure web gateway (SWG) service and another provider’s backbone. But they rejected the idea. “The feature comparison looked good on paper, but they were more difficult to implement and much more expensive than Cato Cloud,” he says. Instead, he addressed all of his MPLS connectivity and security requirements with Cato Cloud. To get the full story click here.

Can SD-WAN Services Meet the 6 Promises of SD-WAN?

Like so many areas of IT, networking was revolutionized by SD-WAN, which is now being delivered as a service. But with so many of the... Read ›
Can SD-WAN Services Meet the 6 Promises of SD-WAN? Like so many areas of IT, networking was revolutionized by SD-WAN, which is now being delivered as a service. But with so many of the same services providers offering who delivered expensive and complex MPLS connectivity now providing SD-WAN connectivity, determining if an SD-WAN service will meet your requirements can be difficult. Join our upcoming webinar and get help answering this dilemma as Yishay Yovel, Cato’s Vice President of marketing, walks through the differences between SD-WAN delivered as a managed service and SD-WAN delivered as a cloud-based service. Yishay brings more than 25 years of experience in defining and deploying enterprise IT software solutions and has helped countless enterprises with their SD-WAN strategies. SD-WAN is meant to be transformative, delivering on 6 promises — simplicity, agility, security, optimized delivery, global connectivity, and affordability.  More specifically that means answering fundamental questions about the SD-WAN service: Will the SD-WAN be self-service or work like an MPLS where you still need to open a ticket for every move, add, and change? Will security be built into the service so your branches can safely leverage the very technology that enables much of SD-WAN’s cost savings  and agility — direct Internet access? How will you connect to remote and international locations? Will you still need to use expensive MPLS to guarantee latency and packet loss to those sites or can you use  an affordable MPLS alternative to eliminate recurring costs altogether? During this webinar, Yishay will explain why realizing this transformative impact isn’t always possible with SD-WAN service.   He’ll share a vision of an SD-WAN service designed for the cloud. He’ll define an SD-WAN architecture that converges global backbone, firewall as a service, edge and global optimization, and self-service management to redefine enterprise networking. Finally, he’ll provide real-life examples and case studies of how enterprises use Cato Networks’ SD-WAN to securely connect their locations, mobile users, and cloud resources. Join us on October 25th or October 26th for this thought provoking webinar. Sign up here.

IoT Security Best Practices

It’s no secret that IoT security is a problem. That’s why there are so many regulations and initiatives aimed at fixing the issue. But even... Read ›
IoT Security Best Practices It’s no secret that IoT security is a problem. That’s why there are so many regulations and initiatives aimed at fixing the issue. But even with the right measures in place, networking professionals still need to be careful how they deploy IoT.   To those ends, a number of best practices have been published to guide IoT deployments. Here’s a run down and summary of those IoT security best practices for easy reference from some of the top sites and how cloud-based SD-WAN, such as Cato Cloud, can help. ZDNet: 10 best practices for securing the Internet of Things in your organization The 10-step list compiled by Conner Forrest includes insight from numerous IoT experts including John Pironti, president and chief information risk strategist at IP Architects, Gartner research vice president Earl Perkins, and Forrester Research senior analyst Merritt Maxim: Understand your endpoints — Each new IoT endpoint introduced into a network brings a potential entry point for cybercriminals that must be addressed.] Track and manage your devices —  Understand what connected devices are in the organization by rolling out an asset discovery, tracking, and management solution at the beginning of an IoT project. Identify what IT security cannot address —  Identify  what aspects of the physical device cannot be secured through IT security practices. Consider patching and remediation — Evaluate IoT devices in part in terms of their potential for patching and remediation. Use a risk-driven strategy — Prioritize critical assets in your IoT infrastructure first. Perform testing and evaluation — Do some sort of penetration testing or device evaluation before deployment. Change default passwords and credentials — While common sense, some IoT devices have default passwords that are difficult to change or cannot be changed at all. Look at the data — Understanding the way an IoT device interacts with data is crucial to securing it. Rely on up-to-date encryption protocols — Businesses should encrypt the data moving in and out of their IoT devices, relying on the strongest available encryption Move from device-level control to identity-level control —  As more IoT devices offer the ability to connect multiple users to a single device, the focus of security should shift to identity-level control, Microsoft: Internet of Things security best practices The “Internet of Things security best practices” on the Microsoft Azure site divides IoT security by role — hardware manufacturer/integrator, IoT solution developer, IoT solution deployer,  and IoT solution operator: IoT Hardware Manufacturer/Integrator Scope hardware to minimum requirements: The hardware design should include the minimum features required for operation of the hardware, and nothing more. Make hardware tamper proof: Build in mechanisms to detect physical tampering, such as opening of the device cover or removing a part of the device. Build around secure hardware: If COGS permits, build security features such as secure and encrypted storage, or boot functionality based on Trusted Platform Module (TPM). Make upgrades secure: Firmware upgrades during the lifetime of the device are inevitable. IoT Solution Developer Follow secure software development methodology: Development of secure software requires ground-up thinking about security, from the inception of the project all the way to its implementation, testing, and deployment. Choose open-source software with care: When you're choosing open-source software, consider the activity level of the community for each open-source component. Integrate with care: Many software security flaws exist at the boundary of libraries and APIs. Functionality that may not be required for the current deployment might still be available via an API layer. To ensure overall security, make sure to check all interfaces of components being integrated for security flaws. IoT Solution Deployer Deploy hardware securely: Ensure hardware deployed in unsecure locations, such as public spaces, is tamper-proof to the maximum extent. Keep authentication keys safe: During deployment, each device requires device IDs and associated authentication keys generated by the cloud service. Keep these keys physically safe even after the deployment. Any compromised key can be used by a malicious device to masquerade as an existing device. IoT Solution Operator Keep the system up to date: Ensure that device operating systems and all device drivers are upgraded to the latest versions. Protect against malicious activity: If the operating system permits, install the latest antivirus and antimalware capabilities on each device operating system. Audit frequently: Auditing IoT infrastructure for security-related issues is key when responding to security incidents. Physically protect the IoT infrastructure: The worst security attacks against IoT infrastructure are launched using physical access to devices Protect cloud credentials: Cloud authentication credentials used for configuring and operating an IoT deployment are possibly the easiest way to gain access and compromise an IoT system. DarkReading: Get Serious about IoT Security Derek Manky in  a commentary on Dark Reading identifies four recommendations for IT professionals to when addressing IoT security: Patch management is critical — Advanced threats have exploited already patched vulnerabilities, and closing those gaps are critical. IPS and virtual patching should also be used to protect unpatched IoT devices. Use redundancy segmentation for securing backups — Scan backups to ensure their clean and segment them off network to prevent tampering. Focus on improving internal visibility — Securing the perimeter is not enough. Implement the necessary controls to monitor and secure internal traffic. Reduce the time to defend — Connect together proactive solutions and simplify your network to respond faster to threats. IEEE: Internet of Things (IoT) Security Best Practices In the “Internet of Things (IoT) Security Best Practices,” the IEEE group breaks IoT security into three parts — securing devices, securing the network and securing the overall system. Securing Devices Make hardware tamper resistant Provide for firmware updates/patches Perform dynamic testing Specify procedures to protect data on device disposal Securing Networks Use strong authentication Use strong encryption and secure protocols Minimize device bandwidth Divide networks into segments Securing the Overall System Protect sensitive information Encourage ethical hacking, and discourage blanket safe harbor Institute an IoT Security and Privacy Certification Board How Cato SD-WAN Helps Secure IoT IoT security remains a challenge, but there’s plenty IT professionals can do to minimize the risk. A secure, cloud-based SD-WAN, such as Cato Cloud  can certainly help. The built-in next generation firewall (NGFW) and firewall as a service (FWaaS)  protects mobile users and locations from external threats. Even if IoT devices can’t be patched, Cato Cloud’s advanced threat protection allows IT professionals to use virtual patching to protect the devices. And by inspecting all traffic between sites, the cloud, the Internet and mobile users, Cato Cloud detects and contains IoT threats that may have penetrated the perimeter. To learn more about Cato Cloud and how it compares with traditional, appliance-based SD-WAN see our solution description.

IoT Security Standards and Initiatives

It’s no secret that there are significant concerns with Internet of Things (IoT) security. The concerns stem in part from several high-profile incidents. Late last... Read ›
IoT Security Standards and Initiatives It’s no secret that there are significant concerns with Internet of Things (IoT) security. The concerns stem in part from several high-profile incidents. Late last year, for example, attackers exploited a vulnerability in a brand of IoT cameras to launch a DDoS attack on the website of security expert Brian Krebs. The following month, the Mirai botnet arranged 100,000 IoT devices to launch an attack on DYN, the DNS provider.   The industry has responded with numerous efforts and initiatives. Here’s a summary of some of those efforts. Industry Initiatives Promote IoT Security in IoT Devices and Solutions About a year ago, the Cloud Security Alliance released a 75-page report describing how manufacturers can develop secure IoT products.  In January, Online Trust Alliance (OTA) updated its IoT Trust Framework to provide guidance on how to develop secure IoT devices and assess risk.   The following month the GSM Association (GSMA) released its IoT Security Guidelines. The GSMA brings extensive experience guiding the development of security solutions from the mobile sector. The specification aims to do the same for IoT by promoting best practices around securing  IoT services. The group also provides an IoT security assessment for IoT vendors to evaluate themselves. Government Action Helps Enforce IoT Security Also in January, the U.S Federal Trade Commission (FTC) filed a lawsuit against an IoT manufacturer for in part making “deceptive claims about security of its products.” The lawsuit’s effect is expected in part to encourage the development of better, more secure IoT devices. While the lawsuit might be the proverbial stick, the FTC also has its carrot. The IoT Home Inspector Challenge, for example, was a competition arranged by the FTC to encourage the development of technology tools to help protect consumers against the risks posed by out-of-date IoT software. (The winner of the challenge was a mobile utility for users with limited technical expertise to scan and identify home Wi-Fi and Bluetooth devices with out-of-date software and other common vulnerabilities. The software then provided instructions on how to update each device's software and fix other vulnerabilities.) The Department of Commerce's Internet Policy Task Force, under the auspices of the National Telecommunications Information Administration, is reviewing “the benefits, challenges, and potential roles” for the government in advancing IoT.  The group is working with various stakeholders to increase consumer awareness around the importance of security upgrades for IoT devices. The British government issued guidelines for securing Internet-connected vehicles. According to Reuters, the government’s aim is to ensure that engineers seek to design out cyber security threats as they develop new vehicles. The new guidelines also include making the systems able to withstand receiving corrupt, invalid or malicious data or commands, and allowing users to delete personally identifiable data held on a vehicle’s systems, notes the report. The Internet of Things Cybersecurity Act of 2017 introduced in August, represents an effort to establish industry-standard protocols and require IoT manufacturers to disclose and update vulnerabilities. The act looks to leverage the government’s buying power to drive change by requiring compliance by IoT devices purchased by the US government, notes Brian Krebs. The General Data Protection Regulation (GDPR) has a number of requirements relating to the use of IoT within the EU. The regulation will take effect in May 25th, 2018. Think we’ve missed some? Let us know. We’ll be growing this list regularly. Read about IoT Security Best Practices

TMC, Layer123 Recognize Cato for SD-WAN Leadership

TMC, a global, integrated media company, has awarded Cato Cloud a 2017 Internet Telephony SD-WAN Excellence Award. The award is given to companies that demonstrate... Read ›
TMC, Layer123 Recognize Cato for SD-WAN Leadership TMC, a global, integrated media company, has awarded Cato Cloud a 2017 Internet Telephony SD-WAN Excellence Award. The award is given to companies that demonstrate the innovation, vision, and execution to deliver software-based networking tools to support different and unique communities of interest. “Congratulations to Cato Networks for receiving a 2017 INTERNET TELEPHONY SD-WAN Excellence Award,” said Rich Tehrani, CEO, TMC. “Cato Cloud has demonstrated true innovation and is leading the way for Software Defined Wide Area Network. I look forward to continued excellence from Cato Networks in 2017 and beyond.” The TMC award is the latest recognition for Cato’s revolutionary cloud-based SD-WAN, Cato Cloud. Last month, the service was shortlisted for Layer123’s Network Transformation Awards 2017 as the Best SD-WAN Service. Previous recognition included Gartner Cool Vendor 2017, a finalist as a RSA Innovation Sandbox 2017, and CRN for 25 Coolest network Security Vendors. Cato Cloud connects all enterprise network elements, including branch locations, the mobile workforce, and physical and cloud datacenters, into a global, encrypted and optimized SD-WAN in the cloud. With all WAN and Internet traffic consolidated in the cloud, Cato applies a set of security services to protect all traffic at all times. “With Cato, the costs of our connection to Mexico alone dropped more than 80%, and we received twice the capacity,” says Kevin McDaid, systems manager Fisher and Company, a leading manufacturer who replaced its global MPLS with Cato Cloud, an MPLS alternative. Overall, the company saved 95 percent on its annual costs, doubled its bandwidth and eliminated the complexities of MLPS — all without sacrificing line quality. Cato Cloud consists of two complementary layers — the Cato Cloud Network and Cato Security Services. The Cato Cloud Network is a global, geographically distributed, SLA-backed network of points of presence (PoPs), interconnected by multiple tier-1 carriers. Enterprises connect to the Cato Cloud Network via any last mile transport (Internet, MPLS, 4G/LTE). Cato Security Services is a fully managed suite of enterprise-grade and agile network security capabilities, directly built into the network. Current services include a next generation firewall, Secure Web Gateway, Advanced Threat Prevention, Cloud and Mobile Access Protection and network Forensics. The cloud-based and multi-tenant Cato Management Application enables enterprises and service providers to configure policies, and monitor network activity and security events, from a single pane of glass. Cato Cloud is seamlessly and continuously updated by Cato’s dedicated networking and security experts, to ensure maximum service availability, optimal network performance, and the highest level of protection against emerging threats. For more information about Cato Cloud click here.

The 4 Drivers in the Journey to Full WAN Transformation

Organizations around the world are beginning to go through digital transformation projects. They are moving their datacenters to the cloud, using more and more SaaS... Read ›
The 4 Drivers in the Journey to Full WAN Transformation Organizations around the world are beginning to go through digital transformation projects. They are moving their datacenters to the cloud, using more and more SaaS products, and moving their networking (SD-WAN) and security (FWaaS) to cloud-based solutions. The 4 Mega Drivers of Business Profitability is always the driving factor for business. But in today’s hypercompetitive world, we can generally point to four mega drivers that impact profitability and influence business decisions: speed, scope, security and simplicity. The need for speed — Speed matters more than ever. Businesses must move fast and react quickly to changing conditions and new opportunities. Local organizations go global; manufacturing moves factories to lower cost regions. From pop-up stores to project sites, business locations tend to have shorter lifecycles. There is no time to waste, and IT must operate at the pace of today’s business. Get stuff done everywhere — Mobility is increasingly important to getting close to customers and responding to business opportunities. The support infrastructure previously designed for fixed locations must now include individual workers. These users could be anything from offshore developers to field engineers, project managers, claim adjustors, or simply IT consultants. Secure by design — Security can no longer be an afterthought. Given today’s threat landscape, security must be built into the way we do business. Because the strength of the defense is determined by the weakest link, we can't treat remote locations and mobile users as secondary targets. Enterprise-grade security must extend to all users and enterprise resources, especially the most dynamic and volatile ones. Simplification drives cost reductions — Every company needs to focus on its core competencies, and unless you are a hosting provider you don't have an edge running complex private IT infrastructure. This is why enterprises increasingly turn to service providers and the cloud to run compute, storage, networking, and security. IT no longer has to own generic infrastructure and invest the resources just to keep the lights on. It can now better focus and serve company-specific needs and initiatives. For IT leaders, this means we must maximize the speed, scope, security and simplification benefits of every project. WAN transformation is one such example. The WAN Is Incompatible with Today’s Business The legacy WAN is misaligned with the way business gets done today. First, the WAN is slow to evolve. It was designed for permanent, static locations connected via expensive, MPLS links. The legacy WAN slows us down when we need a quick turnaround for new sites, on a deadline to split networks due to spin-offs, or are rushing to securely integrate acquisitions. Second, the WAN provides no value to our mobile workforce. All of our fancy connectivity solutions, such as edge SD-WAN appliances, do not extend to the field-people that are vital to our success. Third, the WAN does not support our drive towards simplification by using the cloud. As we migrate our businesses to cloud datacenters or public-cloud applications, our legacy WAN architectures and optimizations can’t effectively support the new hybrid environment. And lastly, traditional WANs are complex and very expensive. WAN providers can no longer justify their premium prices they used to charge when businesses mostly operated from fixed locations. Continue paying for dated services that are not compatible with today’s global, mobile and cloud-driven businesses makes little sense.   The 4 S’s of WAN Transformation To be successful, WAN transformation must address the mega drivers impacting the business — speed, scope, security and simplicity — for fixed locations as well as mobile users and cloud resources. Many organizations are looking to the Internet as a way to address the limitations of their traditional WANs. The software-defined WAN (SD-WAN) lets companies connect locations with multiple Internet links, securely, using algorithms and custom policies to direct traffic to the optimum link. Here are some of the ways an SD-WAN can meet these mega drivers: Make the WAN more agile: SD-WAN enables IT to be more agile, deploying new locations and accommodating new business requests far faster than was possible with MPLS. By using inexpensive Internet services, companies can afford to over provision site capacity, eliminating the delays associated with MPLS line upgrades. The use of Internet and zero-touch provisioning, where the SD-WAN routers configure themselves upon connecting the network, reduce the time and complexity of connecting a new site. Traditional SD-WAN still requires the configuration and implementation of advanced security if the remote site will use the Internet line for general Internet access. An SD-WAN that integrates advanced security — next generation firewall (NGFW), advanced threat protection, and the like — can also simplify and accelerate the deployment of the local security architecture. Extend the scope of the WAN everywhere: Traditional business might have been done from fixed locations, but today’s business is done everywhere. Mobile users, though, were never incorporated into the WAN. They connect to enterprises resources through a virtual private network (VPN), part of a network security solution. VPNs are infamous for poor user-experience and performance issues, in part because users connect through the unpredictable and slow public Internet. If they need to reach cloud applications, users must also connect back to a datacenter appliance, adding further latency. Expanding the scope of the WAN edge to the last mobile user sounds like fiction, but new WAN technologies treat mobile users as equal players, providing global, optimized and secure mobile connectivity for every user, everywhere. Secure cloud and private resources: We need to securely extend the WAN to the cloud and optimize the connectivity. What were previously resources in a physical datacenter, are now spread between physical datacenters and the cloud. Furthermore, the cloud datacenter may span multiple cloud providers. Integrating all of these “fragments” into a secure and optimized network is essential to realizing the benefits of cloud migration. This is easier said than done: If your WAN thinks “physical” it will be hard-pressed to extend to the cloud. And, the cloud will most likely introduce latency and other unforeseen optimization challenges. This doesn't mean the cloud isn't right for you; it does mean that the WAN has to evolve. Reduce costs by eliminating MPLS and simplifying IT: SD-WAN is promising to boost the capacity of the WAN by adding inexpensive Internet links to augment expensive MPLS ones. This is called a hybrid WAN. It’s a reasonable first step, but there is so much more. Hybrid WANs persist the reliance on MPLS due to the unpredictable latency of the public Internet, especially for national and global organizations. SD-WAN must offer a roadmap for MPLS elimination with a cost-effective MPLS alternative. In addition, SD-WAN offers the opportunity to simplify IT structures. Instead of maintaining separate network security architectures — for WAN, mobile and cloud — companies can now consolidate around one holistic secure network architecture. This radical simplification gives IT visibility into and control over all aspects of the network, reducing operational complexity and costs. But it’s only possible with proper security in the network. Traditional WAN didn’t face this issue as it backhauled Internet-traffic across MPLS to the datacenter for secure Internet access. Security operations were simplified at the expense of network and application performance — precisely the factors driving demand for SD-WAN. Building advanced security into the network itself enables network security technical simplification and ultimately — and this is often the most controversial part — allows for further cost savings through the integration of networking, and security teams. An SD-WAN for Transformed Business These are major considerations. The WAN represents a significant opportunity to change the way IT serves the business, with immediate and tangible benefits. While WAN transformation is a journey, it is essential that IT leaders do not fall into the trap of short-term thinking by solving one challenge at a time with point-products. Whatever your approach, WAN transformation projects are architectural in nature. The capabilities of the architecture you choose will determine the incremental effort you will have to invest and the benefits you can reap. An ideal WAN architecture will eliminate MPLS connectivity costs, regionally and globally, extend the WAN to cloud resources and mobile users, and deliver network security everywhere. The WAN of the future — fast, agile, secure and all inclusive — is in sight.

Transitioning to SD-WANs: Problems to Avoid

WAN Transformation: SD-WAN Cost and ROI Analysis It’s no secret that traditional wide area networks (WANs) have to change. Much has been made about their... Read ›
Transitioning to SD-WANs: Problems to Avoid WAN Transformation: SD-WAN Cost and ROI Analysis It’s no secret that traditional wide area networks (WANs) have to change. Much has been made about their high costs, long-time to deploy, and poor fit for running Internet and cloud traffic. But cost reductions, in particular, that are often promised with the successor to traditional WANs, software-defined wide area network (SD-WAN), is often misleading. SD-WAN Cost Savings Early marketing around SD-WAN technology pointed to the 90 percent cost difference between MPLS and Internet bandwidth costs.  From this many SD-WAN vendors claimed WAN transformation using SD-WAN would lead to comparable savings. The reality is very different. In fact, Cato surveyed 350+ IT professionals about their SD-WAN plans and deployments. While more than 89 percent of respondents who had already deployed an SD-WAN indicated that cost savings played an important priority in deploying SD-WAN, only 41 percent reported reducing WAN costs. Here’s why. Can’t Eliminate MPLS All too often, the cost savings of SD-WAN stem from the expectation of eliminating a carrier’s costly MPLS service. But there’s an excellent chance that most SD-WAN’s will not eliminate your MPLS service. In part, this has to do with reasons of regulatory or standards compliance. Many security professionals still do not trust SD-WAN across the the open Internet to meet requirements. In other cases, SD-WAN, over the open Internet, lack the consistent loss and jitter characteristics needed to run high-quality, enterprise voice and other loss- and latency-sensitive applications. This is particularly true between Internet regions, where the long-distances and lack of routes make finding alternate paths with right networking characteristic particularly difficult. More than Basic Internet Preliminary SD-WAN calculations alo often compare MPLS against the most basic Internet services. But all too often these services are insufficient, forcing companies to invest in not only business-grade internet, but services with redundant links to meet uptime expectations. All of which increases last-mile costs. Service provider management, an inherent part of any MPLS service, must be assumed by the enterprise with SD-WAN — another cost center. Then there are also the additional security costs that often need to be calculated into the equation. As a rule, SD-WAN appliance do not provide advanced security. They encrypt traffic, like any other VPN, but lack the advanced security services necessary for defending against advanced persistent threats, malware penetration, and more. As a result, while SD-WAN can use the Internet to establish VPNs to locations, alone they must still backhaul traffic to the company’s secured Internet portal, maintaining the same performance problems for cloud and internet traffic experienced with MPLS. Delivering DIA locally will force the deployment of IPS, malware protection, next generation firewall (NGFW) and other advanced security services at each site or, more likely, in regional hubs, increasing the SD-WAN-related costs. Cost Savings You Will See But clearly SD-WAN deployments do realize cost savings in many cases, 41 percent in our survey. Where do those savings savings come from? Depending on the SD-WAN, cost savings, or more specifically cost avoidance, comes from not having to replace end-of-life routers. Bandwidth costs, even with redundant fiber pairs, will reduce somewhat when replacing MPLS in well-developed Internet regions. MPLS can be eliminated, but the SD-WAN needs to include a low-cost, SLA-backed backbone, MPLS alternative. Security costs can also be reduced when if the provider integrates advanced security services into the SD-WAN. Operational costs will also decline because the SD-WAN uses centralized configuration and management. In general, SD-WAN help wide area networking move closer to becoming plug-and-play, but deployment is rarely out right simple. You still need to understand routing, policy configuration, network performance and more. Bottom Line The bottom line is that SD-WAN can help your bottom line. It’s partially a matter of setting proper expectations and part about finding an SD-WAN with the right security and performance characteristics to make DIA and MPLS alternative possible. Do that and you too can join the happy 41 percent.

The Case for Replacing MPLS with Cloud-based SD-WAN: A Customer Story

One of the great things about Cato Cloud is its ability to simplify environments. By implementing an MPLS alternative, an SLA-backed WAN and by eliminating... Read ›
The Case for Replacing MPLS with Cloud-based SD-WAN: A Customer Story One of the great things about Cato Cloud is its ability to simplify environments. By implementing an MPLS alternative, an SLA-backed WAN and by eliminating the stacks of security appliances, bandwidth costs drop and operations become more efficient. It’s a story I’ve heard from so many customers in one way or another, most recently from Kevin McDaid, the systems manager at Fisher & Company. Fisher & Company is a manufacturer for the automotive industry. The company has 1700 employees spread across eight locations globally, and an instance in Azure. Initially the locations had been connected with MPLS and secured with local appliances. But like a lot of IT managers, Kevin was pretty fed up when we spoke with the costs and complexities of his MPLS configuration.  The company was spending $27,000 a month for MPLS, $7,000 per month just on a connection from the US to Mexico. And three WAN optimizers meant a one-time outlay of nearly $60,000 with annual renewals of $7,000. With stacks of appliances, including firewalls, WAN optimizers, and routers, comes complexity and breeding ground for problems. “Our old MPLS provider proposed this very intricate architecture that looked it was from a CCNA test,” he says. “The sites ended up with dual routers running HSRP (the Hot Standby Router Protocol) to load balance traffic between them. But when the protocol failed, so did the location.” Survivability was a challenge in other ways as well. Backhauling traffic across the MPLS network created a single point of failure. “When the provider’s MPLS router failed, we lost our headquarters and the entire company stopped working,” says Kevin. “I was woken up in the middle of the night on several instances because a fiber cut or power outage had taken down a site, or to get the provider to fix a minor firewall problem.” Finally, managing the MPLS and security infrastructure was painful. McDaid and his team had to jump between “tons” of management interfaces, he says. They could monitor firewalls and the network, but the provider had to make any changes. “Something as simple as enabling access to a website through our firewall meant having to call support. It was very frustrating.” See how Fisher used Cato Cloud to reduce costs, improve operations, and so much more with an affordable MPLS alternative. Read the full case study here... Learn about cloud MPLS - The business case for SD-WAN

How Secure is Your SD-WAN?

The market for SD-WAN has been driven in part by its ability to reduce bandwidth costs and improve the performance of cloud access. These drivers,... Read ›
How Secure is Your SD-WAN? The market for SD-WAN has been driven in part by its ability to reduce bandwidth costs and improve the performance of cloud access. These drivers, though, also come with baggage: the reassessment of today’s corporate security model. Traditionally, Wide Area Networks (WANs) and network security were loosely coupled entities. Networking teams focussed on the connectivity between locations; security teams focussed on protecting against malware threats and other external or application-layer security issues. Security between locations, though, was not an issue provided the WAN was based, as most were, on a private MPLS service. With its ability to separate customer traffic, MPLS services give enterprise IT professionals enough “confidence” to send data unencrypted between locations. This amicable live-and-let-live separation falls apart with today’s SD-WAN. In order for companies to realize SD-WAN’s cost savings  and cloud performance benefits, branch offices must be connected directly to and communicate across the Internet. This requires a shift in our security models. We can no longer assume that the WAN is secure. Instead, we must bring networking and security disciplines closer together. To do that, we must think about network security at three levels — traffic protection, threat protection, and securing mobile and cloud access. Traffic Protection The reliance on the public Internet requires the SD-WAN to protect traffic against eavesdropping. Any SD-WAN should build a virtual overlay of encrypted tunnels between locations. The SD-WAN make configuring this mesh of tunnels simple, managing the encryption keys, creating the tunnels, and automating their full mesh setup. The encryption protocols typically used are the legacy, and less efficient, IPsec and the newer, and more advanced, DTLS. Threat Protection While traffic protection secures traffic in transit from interception by third-parties, the SD-WAN is still not protected against malware infections, phishing attempts, data exfiltration, or other Internet-based threats. Advanced threat protection addresses these risks with various technologies, such as next generation firewall (NGFW), Secure Web Gateway (SWG), malware protection, and Intrusion Prevention System (IPS). The most common way to deliver threat protection at a branch is to deploy a local firewall or UTM appliance. It is also the most problematic, resulting in appliance sprawl and the high overhead of configuring, patching and upgrading appliances at each location. Traditional WANs overcome the problem by centralizing security appliances at a datacenter or regional hub. Internet-bound traffic is backhauled across the MPLS network to this secured Internet access point, inspected, and then sent to the Internet. It’s a cost effective, manageable approach, but one that introduces latency into Internet- and cloud-based applications and waste MPLS capacity.   Backhauling traffic makes little sense when branch offices connect into the SD-WAN with Internet lines. But because traditional SD-WAN lacks integrated threat protection that companies are unable to use these Internet lines for direct Internet access at the branch, and backhauling to a data center must continue. Here’s where SD-WAN architects must consider their options carefully. Rather than deploying physical security appliances at remote locations or backhauling traffic, some SD-WAN vendors address the threat protection problem through the use of Virtual Network Functions (VNFs) or Firewall-as-a-Service (FWaaS). With a VNF, a network security stack is deployed in a virtual form into the SD-WAN box or another white box known as vCPE. This model can reduce the number of physical appliances at the branch office. However, it still requires full management of the virtual appliance software and policies. Furthermore, the compute intensive nature of security functions can impact the core networking functions of the device, if sizing isn't done properly. As traffic volumes grow or the SSL-encrypted traffic mix changes, security professionals find they’re in the unenviable position of having to choose between disabling some features and compromising security, or being forced to into a hardware upgrade, often outside of their budget cycle. Alternatively, Firewall as a Service (FWaaS) can extend network security in the cloud and to all locations without physical or virtual appliances in the branch office or anywhere for that matter. Scaling and maintaining security infrastructure that was built as a cloud service from the ground up eliminates the maintenance workload and capacity uncertainty associated with network security appliance deployments and the changing traffic volume and traffic mix. Secure Cloud and Mobile Access The new ways we are doing business these days, puts pressure on the fabric of the legacy WAN. The heart of the business now includes not only physical locations, which are the primary focus of traditional SD-WAN, but also cloud data centers, cloud applications and mobile users. We need to connect these resources to our WAN, provide optimal access, and secure that access. Cloud datacenters and Software-as-a-Service (SaaS) applications create the root of the problem. As we migrate datacenter applications to a cloud datacenter or public cloud applications, we need to provide secure and optimized access to these applications at their new home. We need to ensure our security infrastructure extends to all traffic flows, not just those between our locations but also between locations, mobile users, and the cloud. Naturally, we can “shove” everyone into a choke point in the physical datacenter and from there, using centralized security, get to the cloud. This solution will work, we have been using mobile VPN for years, but users will hate it. Branches or travelling users may be far from the datacenter, and the datacenter may be far from the cloud destinations. Users would prefer to go directly to the cloud, and IT would like to enable that access, if security can be maintained. SD-WAN must support these new requirements. SD-WAN and Security: Breaking the Silos When you consider an SD-WAN deployment, network security is a major consideration that could dramatically impact the business value you will extract from the project. Traditionally, the networking and security domains are separate, and we tend to follow the silos and make decisions in a vacuum. The result is a suboptimal network design that forces traffic of a software-defined and agile network into a rigid, static security architecture. We should drive our WAN transformation in a way that advances an integrated approach to networking and security, and aligns our WAN with the needs of the global, cloud-centric and mobile-first enterprise.

Sun Rich: A Lesson in the Benefits of a Fully Converged WAN

Fast-growing companies have a nasty habit of accumulating “networking stuff” that ultimately brings complexity and complications to the lives of IT.  Just ask Adam Laing,... Read ›
Sun Rich: A Lesson in the Benefits of a Fully Converged WAN Fast-growing companies have a nasty habit of accumulating “networking stuff” that ultimately brings complexity and complications to the lives of IT.  Just ask Adam Laing, the systems administrator at Sun Rich, a fresh produce provider to foodservice and retails markets throughout North America. Laing found himself managing the headaches of rapid growth. An MPLS network that connected all of his facilities was costing him far too much in North America. And network performance was often too limited to carry his Remote Desktop Protocol (RDP) traffic. “Today, you can’t run a business on 3 Mbits/s connections to your branches,” says Laing. “We ended up paying a lot of money for nothing.” The centralized Internet design of his MPLS deployment undermined cloud and Internet performance. Backhauling the Internet traffic to the datacenter coupled with the limited capacity at each location meant users experienced general “sluggishness” when accessing applications. Connecting to Azure was difficult because “performance was not where it need to be,” says Laing. The limited performance would also have made migrating to Office 365 and SharePoint impossible, he says Numerous security appliances tools, such as firewalls and anti-malware, were needed to protect locations. Appliances carry their own operational hit, requiring patching, capacity planning, and often forcing upgrades when traffic jumps or after enabling additional compute-intensive services.   To top it off, mobile users were presenting their own challenges. A third-party service was used to connect mobile users, which required its own policies and configuration. Visibility was limited as many users would connect directly to the Internet, bypassing corporate security controls. In short, Sun Rich was drowning in cost and complexity. Sun Rich needed an MPLS alternative approach. Laing tried deploying SD-WAN appliances with multiple, active broadband connections, but no number of local links could compensate for the poor Internet routing users experienced at some branches. And SD-WAN appliances do nothing for mobile users or advanced security challenges. Learn how Laing used Cato to address his Internet and MPLS woes -- and a whole lot more. Read more here.

What is SD-WAN and can it transform enterprise networking?

The WAN is evolving after years of stagnation, and SD-WAN is all the rage. What is the promise driving SD-WAN? In short, SD-WAN aims to... Read ›
What is SD-WAN and can it transform enterprise networking? The WAN is evolving after years of stagnation, and SD-WAN is all the rage. What is the promise driving SD-WAN? In short, SD-WAN aims to remove the constraints of legacy connectivity technologies, namely MPLS and the unmanaged public Internet, ushering a new age of flexible, resilient and secure networks. Network Constraints Make for IT Constraints For years, organizations had to choose between a private, predictable, yet rigid and expensive MPLS service, or the inexpensive and unpredictable, yet affordable, Internet service. Layered on top of that tough tradeoff, are considerations like availability and capacity. Many enterprises eventually used a mix of both technologies: MPLS links for production with Internet standby at each location, or a mixed network where some locations are connected via MPLS and others connect through public Internet site-to-site VPNs. None of this was easy to manage and generations of network professionals had to manually configure and reconfigure routers and WAN optimizers to manage this complex environment. Enter SD-WAN. The SD-WAN edge router can dynamically route traffic over multiple transports, such as MPLS, cable, xDSL, 4G/LTE, based on the type of traffic (voice, video, cloud and “recreational”) and the quality of the transport (as measured by latency, packet loss, and jitter). SD-WAN edge routers let organizations boost overall capacity available for production (no more wasteful “standby” capacity) and it automates application traffic routing based on real-time monitoring of changing conditions. Instead of crude command line interfaces that were error prone and slowed deployments, SD-WAN leverages zero-touch provisioning, policies, and other technologies to automate once time-consuming, manual configuration.. Three Things to Watch for with Edge SD-WAN Architecture The SD-WAN promise of improved capacity and availability is a great first step in the WAN transformation. But it is important to recognize where SD-WAN falls short. Continued Dependency on MPLS Minimizes Cost Avoidance The SD-WAN edge architecture contains an underlying assumption that there is a predictable transport, like MPLS, to carry latency-sensitive traffic. The Internet is too unpredictable to deliver enterprise-grade, latency-sensitive applications on a predictable basis particularly between Internet regions. While edge SD-WAN can fallback to an alternate path if MPLS is unavailable, and users may be willing to experience fluctuations in service during a short outage, it is important to recognize edge SD-WAN persists the reliance on MPLS. As such, SD-WAN’s impact on the substantial ongoing IT investment in MPLS is limited. Lack of Integrated Security Increases Network Security Costs The SD-WAN edge architecture opens up the organization to the Internet, and supports the overall migration to cloud services. However, this creates a new attack surface for the organization that must be secured. Edge SD-WAN does not address security requirements. Organizations need to extend their security architecture to support SD-WAN projects using edge firewalls, cloud-based security services or backhauling and service chaining into their existing security infrastructure. So, as SD-WAN edge creates flexibility and opportunity in the network area it could, and often does, increase cost and complexity from a security perspective. SD-WAN and Cloud Connectivity The SD-WAN edge isn't in a position to support cloud resources and mobile users. Since it was designed to solve a branch office problem, the SD-WAN edge had to be stretched to the cloud as an afterthought while mobile users do not benefit at all from the new network capabilities. SD-WAN, the “all new” WAN architecture, is solving the problems of the past with little focus on the new ways business gets done. The Cato Cloud: SD-WAN with Backbone Cato Networks converges the entire scope discussed above into a single cloud-based service. The Cato Cloud delivers advanced SD-WAN capabilities, including multi transport support, last mile optimization and policy-based routing. But Cato also thought through the full set of implications and requirements that are needed for a full WAN transformation. The SLA-backed global backbone at the core of Cato Cloud is a credible and affordable MPLS alternative. An enterprise-grade network security stack built into the backbone extends security everywhere without the need to deploy additional security products. And the tunnel overlay architecture connects all resources to the service in the same way: physical locations, cloud resources and mobile users. Watch Cato SD-WAN in action... Read about network service chaining

AdRoll: How to Improve Contractor Management and Mobile Access to the Cloud

Customer Case Study As companies embrace contractors and the “gig economy,” IT professionals need to reconsider their approach to mobility and access. Providing outside contractors... Read ›
AdRoll: How to Improve Contractor Management and Mobile Access to the Cloud Customer Case Study As companies embrace contractors and the “gig economy,” IT professionals need to reconsider their approach to mobility and access. Providing outside contractors with mobile access presents a range of IT challenges. Processes need to be put into place for quickly provisioning remote users. Accommodations must be made for devices IT cannot vet nor manage. Just the right level of access needs to be provided to an ever changing stream of users. De-provisioning these users and revoking access must be equally simple. Existing appliance-based, mobile security solutions often miss the mark. They require new management, provisioning and security software distinct from that which is in place with the WAN. Defining access rights in particular is an issue. “Traditional [mobile] VPNs mean opening the door to everything [on the network],” says Adrian Dunne, global director of IT at AdRoll, a leading marketing technology provider. Dunne’s team manages a global network with 350 offsite contractors constituting about half of its workforce and three datacenters in Amazon AWS. Restricting access for those contractors was just one part of the challenge that ultimately led him to selecting Cato Cloud as his SD-WAN and mobile access solution. Resiliency issues had crippled his network at one time or another. User experience was suffering due to the networking architecture. Onboarding new users was cumbersome. With Cato he addressed those issues and gained deeper insight into how all users access his cloud resources. “Now we can see who’s connecting when and how much traffic is being sent, information that was unavailable with our previous VPN provider,” he says. Learn about how he confronted his mobile his challenge and how his experience with Cato Cloud can help you dramatically improving his network and mobile user experience. Read his story here.

Simplifying your Office 365 Deployment with Cato

If your company is like a lot of companies we see, you’re probably using or considering Microsoft Office 365. According to Gartner research, most companies... Read ›
Simplifying your Office 365 Deployment with Cato If your company is like a lot of companies we see, you’re probably using or considering Microsoft Office 365. According to Gartner research, most companies who’ve deployed Office 365 are happy with the application, though a significant number cite networking-related issues as sources of technical problems   Latency can be too high for some Office 365 applications, particularly with centralized Internet access. Performance is better when going direct to the Internet, but securing the deployment is challenging when Internet access is distributed. Mobile users present their own challenges. Learn more about the networking challenges facing Office 365 and how you might solve them in our webinar next week at 1:00pm ET, September 13 or 10:00am BST, September 14. Steve Garson, president of SD-WAN Experts, will bring his real-world experience helping companies build WANs for Office 365. He’ll explain the technical issues facing Office 365 from a networking standpoint and how you might solve them. I’ll discuss how Cato addresses the issues, demo our implementation, and show how Cato can improve Office 365 performance by 10x or more. After the webinar you will be able to answer questions like:   Why traditional networks are a poor fit for Office 365 What components of Office 365 cause problems for networks and why? What are the network architectural choices for Office 365? How do those choice differ in terms of security, performance, reliability, and costs? What’s the Cato approach and how does it align with those choices? Participants will also be able to access an Office 365 toolbox that Steve’s put together. It’s a nifty collection of Office 365 links and networking utilities he uses in his deployments You can register for the webinar here. Have a specific question you’d like to see addressed? Email them to me at dave@catonetworks.com.

Battle of the Global Backbones: What are Your Options?

Globalization is driving enterprises of all sizes to expand internationally. Manufacturers create new facilities in Asia and Latin America and, more specifically, in China, behind... Read ›
Battle of the Global Backbones: What are Your Options? Globalization is driving enterprises of all sizes to expand internationally. Manufacturers create new facilities in Asia and Latin America and, more specifically, in China, behind the Great Firewall of China. Engineering firms need to extend corporate applications to their field personnel in temporary project sites. Retailers expand regionally to new countries where they have no existing footprint or IT capabilities. Professional services organization migrate to cloud services, such as Office 365, and need to rethink their global mobile connectivity as the sun sets on their regional distributed Exchange architecture. Young technology companies build global cloud footprints designed to deliver application services everywhere. The common underlying theme underpinning globalization, is the need to keep businesses connected and secure. This is a tall order as the pace of business and the need for speed, agility, and cost control is critical to keeping the organization’s competitive edge. What options are on the table to achieve optimized, secure connectivity at a global scale? There are three major options  — global MPLS, the public Internet and cloud networks. The Public Internet The Internet is the default backbone. It is the medium we use for our home and recreational activities. If the Internet underperforms occasionally, we accept it is as a fact of life. Enterprises that could not afford global MPLS had to use Internet-based services. IT often had to grapple with the inconsistency of the Internet due to its convoluted routing and susceptibility to packet loss. Unlike a short buffering on a Netflix movie, packet loss can severely impact business critical functions, such as Voice-Over-IP (VOIP) and remote desktops. In many cases, enterprises had to fragment their networks where key locations used MPLS connectivity while other locations, especially in remote regions, used site-to-site VPNs over the public Internet. Capital costs were reduced, but operational complexity increased and service delivery inconsistent. Global MPLS Services Large enterprises traditionally turned to global telecom providers to connect their international locations and enabled end-to-end connectivity using an MPLS service. The telcos’ MPLS offering included last mile services to the customer premise, a global backbone, and a set of guarantees around capacity, latency, packet loss and availability. This level of service required expensive underlying technology, sold at a high premium to enterprises that could afford it. One of the key drivers for the emerging SD-WAN solutions is to offload expensive MPLS bandwidth to the public internet for cost savings. Cloud Networks Cloud networks revolutionize global connectivity. Using software, commodity hardware, and excess capacity within global carrier backbones, cloud networks provide affordable SLA-backed connectivity at global scale. Cloud networks deploy edge devices to combine last mile transports, such as fiber, cable, xDSL, and 4G/LTE, to reach a regional point-of-presence (PoP). From the regional PoP, traffic is routed globally to the PoP closest to the destination using tier-1 and SLA-backed global carriers. By keeping the traffic on the same carrier backbone, packet loss is minimized, and latency can be guaranteed between global locations. This model extends to cloud services as well. Traffic to Salesforce.com, Office 365, or cloud data centers, such as Amazon AWS and Microsoft Azure, will exit at the PoP closest to these services, in many cases within the same datacenter hosting both the PoP and the cloud service instance. This is a dramatic improvement over the unpredictable public Internet and a significant cost saving vs the expensive MPLS option. The table below summarizes some of the tradeoffs of these backbone approaches. Public Internet MPLS Cloud Network Global Optimization Packet Loss No Yes Yes Routing and Latency No Yes Yes Global Coverage Complete Broad Expanding Resource Access Optimization Physical Locations Yes Yes Yes Hybrid Cloud No No Yes Public Cloud Apps No No Yes Mobile Users No No Yes Security Transport No No Yes Cyber Threats No No Yes Management Rapid Deployment Yes No Yes Policy-based Routing No No Yes End-to-End Analytics No Yes Yes Cost Low High Medium

Why Global SD-WAN powered by IP Transit Backbone is Perfect for the Post-MPLS Era

The Search for Affordable MPLS Alternative Global organizations are looking for SD-WAN services to provide an affordable, MPLS alternative. If you are already using MPLS,... Read ›
Why Global SD-WAN powered by IP Transit Backbone is Perfect for the Post-MPLS Era The Search for Affordable MPLS Alternative Global organizations are looking for SD-WAN services to provide an affordable, MPLS alternative. If you are already using MPLS, you are well aware of its challenges: high costs, rigidity, long time to deploy and incompatibility with the growing demand for direct cloud and internet access. For a long time, organizations made a tough tradeoff: pay the price of MPLS for a consistent and predictable network experience, or use the affordable but unpredictable, best-effort public Internet. Now, a new breed of cloud networks is leveraging technological and business advancements in global connectivity to create a high-quality alternative: a network that is more affordable than MPLS and more consistent than the public Internet. We discussed at length what makes the public Internet a problematic WAN backbone. At a very high level, the Internet is not orchestrated to ensure global routing is continuously optimized for minimal Round Trip Time (RTT) through optimal route selection and packet loss mitigation. There are two main reasons why Internet orchestration isn't possible. First, the service providers that comprise the Internet are making routing decisions based on commercial interests, and not optimal performance. Second, the protocol that binds the Internet together, BGP, is not built to consider the changing conditions of Internet routes, such as packet loss, latency and jitter, just the distance, measured in hops, between source and destination. To build a credible alternative to MPLS, we need to address global orchestration that enables dynamic routing based on end-to-end route quality. But, in order not end up with the same cost and complexity as MPLS, we need to use a lower-cost platform. This is where IP transit enters the picture. IP Transit and the Public Internet IP transit is a global connectivity approach used by providers such as NTT, PCCW, Telia and GTT. These providers deployed global backbones with huge capacity that carries the majority of Internet traffic today. No single carrier covers the entire globe, but each has substantial intercontinental footprint. The network buildout of the last decade created excess capacity, which drove drown the price per megabit. Capacity was added to accommodate the growth of global platforms, such as Facebook, and Amazon, as well as increased traffic from DDoS attacks. This additional capacity has created a low-cost backbone option for businesses with SLAs on global round-trip times. However, complex contracting and volume-based pricing makes IP transit only accessible to the largest of enterprises. The public Internet simplifies enterprise networking through local ISPs that use Internet exchange points. IXs enable regional and global ISPs to share Internet routes and capacity with each other through Internet peering. However, Internet exchanges still mean enterprises can’t control which ISP carries their traffic, and how routes are selected. Cato Cloud: Globally orchestrated, Quality-aware Overlay of IP transit providers Cato has built a cloud network that leverages the low costs, high capacities and SLAs offered by IP transit providers. Cato uses advanced software to dynamically optimize global routing over multiple IP transit providers. As with any cloud service, Cato unburdens enterprise IT by assuming the complexity of contracting, deploying and orchestrating this global network. And, by using commodity hardware and its own software, Cato can pass the aggregate benefits of IP transit to customers in the form of very competitive pricing. How does it work? Cato has built a global network of PoPs from infrastructure in tier-1 datacenters and global cloud providers. Cato directly contracted with multiple tier-1 IP transit providers and bought massive SLA-backed capacity. In places where we can't directly access tier-1, IP transit providers, we rely on Amazon AWS and other leading cloud providers who also use IP transit services from tier-1 providers. Cato’s PoP software leverages the global underlying providers to create a fully meshed, tunnel overlay between all PoPs. The PoP software continuously measures route quality, tracking statistics such as latency and packet loss rates. The impact on RTT is minimized through WAN optimization techniques. Using this cloud network architecture we achieve global orchestration of traffic routing by dynamically selecting the best route between customer locations. Cato monitors the packet loss and latency of all relevant routes, and continuously identify the best route, based on RTT, in real time. The benefits of the above architecture are twofold. First, the Cato Cloud provides better and more consistent RTT than the public Internet in most global scenarios, approaching MPLS numbers at a fraction of the cost. This helps support global deployments of latency-sensitive applications, such as voice and Remote Desktop (RDP). Second, because the Cato Cloud optimizes the last mile independent of the middle mile, it can maximize global throughput for bandwidth-intensive applications, such as backup and file transfer. Throughput is maximized by  maximizing TCP window size which is made possible by reducing the time to detect and recover from packet loss. Cato provides organizations of all sizes with an affordable, global backbone Cato isn't “using the Internet” in its unmanaged and uncontrolled form. Cato leverages the Internet for what it’s best at — access. The Cato backbone, though, is built from a combination of sophisticated software, commodity of the shelf hardware, and affordable, high capacity, SLA-backed IP transit infrastructure. It’s a modern architecture that can support enterprise connectivity requirements for branch locations, cloud applications and infrastructure, and mobile users anywhere in the world. Could Cato use a more expensive, dedicated transport for its cloud network? Sure. But, customers would have to pay a hefty price for no real improvement in service. In our view, if it costs like MPLS and behaves like MPLS, it is basically MPLS. We chose to innovate and use abundant and affordable global capacity, coupled with our proprietary software to dramatically reduce the price of connectivity, deliver consistent and excellent service and make it available to organizations of all sizes.

SD-WAN vs. MPLS: Choose the best WAN solution for you

Unless you were living under a rock, you probably heard about SD-WAN and its promise to transform enterprise networking as we know it. And, by... Read ›
SD-WAN vs. MPLS: Choose the best WAN solution for you Unless you were living under a rock, you probably heard about SD-WAN and its promise to transform enterprise networking as we know it. And, by enterprise networking we mean the use of MPLS at the core of enterprise networks. So, to SD-WAN or to MPLS? Here is what you need to consider. MPLS Pros and Cons If you are an MPLS customer, you are familiar with the benefits and challenges of the technology. MPLS is a premium networking service with guarantees around dedicated capacity, maximum latency and packet loss, and link availability. However, the service that comes with these guarantees is very costly, forcing enterprises to deploy just enough MPLS capacity in order to reduce their monthly spend. Furthermore, to ensure service levels, MPLS services must be deployed to the customer premises, which creates substantial lag time until a new office can be up and running on the service. To meet service levels, carriers prefer their MPLS networks very stable, so changes and adjustments also tend to be slow. The MPLS architecture and its guarantees are now under pressure. As business applications migrate to the cloud, demand for Internet capacity increases. In the past, companies backhauled Internet traffic across their MPLS backbone to a secured, Internet portal. The cost of that backhaul, from both capacity and latency standpoint, was manageable when Internet usage was minimal. This is now no longer the case. In addition, MPLS service guarantees were offered between enterprise locations, not the enterprise and the Internet, where the customer’s carrier ultimately lost control of the traffic to other carriers. SD-WAN Edge Appliances: Not Quite the Answer This is where SD-WAN comes to play. SD-WAN creates a superset of MPLS by incorporating the MPLS service into a virtual overlay including additional services, such as cable, xDSL and 4G/LTE. These services offer a different set of attributes than MPLS: more capacity for less cost, faster deployment but often less predictability. By routing traffic across the overlay based on application requirements and underlying service quality, SD-WAN can bypass some of the challenges of MPLS. Routing becomes more flexible and backhauling of Internet traffic can be reduced. Services can be aggregated to maximize capacity. Branches can be deployed more quickly, initially on Internet services and with MPLS brought into the overlay as needed. SD-WAN has several key challenges when compared with traditional MPLS architectures. Customers need to secure Internet traffic at the branch location or in the cloud to benefit from backhaul elimination. SD-WAN using edge technology alone cannot replace MPLS, unless the customer is willing to relinquish the end-to-end latency and packet loss guarantees that come with MPLS. Cloud resources and mobile users are unaffected by the SD-WAN edge capabilities, which are designed for physical locations. Some of these issues may not be critical in all cases. For example, regional customers that have stable and high-quality Internet connectivity may not see packet loss or latency as inhibitors to move off MPLS. Another example will be a move to cloud-based apps that makes MPLS less critical to ensure application service levels. In both cases, SD-WAN can help support the transition from a hybrid WAN (MPLS+Internet) to Internet-only WAN. Cloud-Based SD-WAN: A New Approach Some SD-WAN vendors, like Cato Networks, expanded the scope of SD-WAN into a cloud-based, global SD-WAN service that includes SLA-backed backbone, built-in security, and extension of the overlay to cloud resources and mobile users. This architecture enables enterprises to augment and ultimately replace their MPLS architectures, address new security requirements, and support their needs outside branch locations. Ultimately, customers need to make a decision. Continue with the current MPLS architecture or deploy one of the flavors of SD-WAN we discussed above to augment or eliminate MPLS. In the table below we summarize the considerations to make this decision. We will compare MPLS, Edge SD-WAN (using edge routers and central management), and Cloud-based SD-WAN (using a private backbone with built-in Next Generation Firewall). MPLS, Internet Backup SD-WAN Edge (MPLS+Internet) SD-WAN Edge (Dual Internet) Cloud-based SD-WAN SLA-backed Coverage Global Yes N/A N/A Yes Regional Yes N/A N/A Yes Security Encryption No Yes Yes Yes Integrated Threat Protection No No No Yes Management Zero-Touch Provisioning No Yes Yes Yes Policy-Based Routing No Yes Yes Yes End-to-End Analytics No Yes Yes Yes End Points Physical Locations Yes Yes Yes Yes Hybrid Cloud Limited Yes (appliance) Yes (appliance) Yes (agentless) Public Cloud Apps No Yes Yes Yes Mobile Users No No No Yes Total Cost  (services, hardware, software) High Medium-High Medium-High Low-Medium To learn more about SD-WAN vs. MPLS, and the way Cato Networks can transform, streamline and simplify your network and security get in touch with one of our specialists. Related articles: SD-WAN pros and cons SD-WAN vs MPLS

The SD-WAN Buyer Collection: EBooks and the Guru Test for Building Tomorrow’s Backbone, Today

So you’ve decided to get off your MPLS service, but “To what?” is the question. What are the issues to consider when re-evaluating MPLS –... Read ›
The SD-WAN Buyer Collection: EBooks and the Guru Test for Building Tomorrow’s Backbone, Today So you’ve decided to get off your MPLS service, but “To what?” is the question. What are the issues to consider when re-evaluating MPLS - and its successor? To answer those and other questions, we’ve put together an ebook extravaganza, packed with helpful tips and insights. Think you’ve mastered SD-WAN? Take the Cato Quiz and find out if you’re really a Guru. The eBooks start with the reevaluation of your MPLS provider, consider the alternatives, and wrap up with a look at the new WAN: How to Re-Evaluate your MPLS Provider Stop fielding complaints about Internet and cloud performance. In this e-book, we’ll talk about the “sins” of Internet backhaul and why it’s so damaging to your network. Then we’ll dig into the three approaches to solving the problem. There are four key network design considerations to keep in mind — availability, capacity, latency, and security. We’ll discuss each of those and provide a concise comparison table comparing MPLS, traditional SD-WAN and cloud-based SD-WAN. Get the full details here. MPLS, SD-WAN and the Promise of N+SaaS Today’s WANs face all sorts of challenges — bandwidth, costs, visibility, and more — some of which are addressed by SD-WANs. But even with traditional SD-WANs, companies still find that visibility and control are constrained to their sites, failing to accommodate some of the biggest trends of the modern business. Guaranteed performance, cloud resources, mobile users, advanced security — these issues are left unaddressed by traditional SD-WANs. We’ll explore the challenges facing MPLS, which ones are addressed by traditional SD-WANs, and how a different kind of SD-WAN architecture can fill the gaps. Click here for the free download. The New WAN: Why the Private Internet Will Replace MPLS Backbone conversations put IT in a pickle: choose MPLS and suffer its high costs, lack of agility, and unsuitability for the Internet and the cloud or choose the public Internet and suffer its poor performance, instability, and lack of security. But there’s a third choice - an SLA-backed, global network with the price of Internet with the predictability of MPLS. We’ll take a close look at the “UberNet” and how it compares with MPLS and the Internet. Get your personal copy here. Once you’ve completed your studies, test your knowledge with the Cato Quiz. It’s a light-hearted, 8 question evaluation of your success. Check it out and be sure to shout out your grade on Twitter.

Cato Adds IPS as a Service with Context-Aware Protection to Cato SD-WAN

Cato SD-WAN is First to Converge Global Networking and Advanced Security Services Cato introduced today a context-aware Intrusion Prevention System (IPS) as part of its... Read ›
Cato Adds IPS as a Service with Context-Aware Protection to Cato SD-WAN Cato SD-WAN is First to Converge Global Networking and Advanced Security Services Cato introduced today a context-aware Intrusion Prevention System (IPS) as part of its Cato Cloud secure SD-WAN service. Cato’s cloud-based IPS is fully converged with the rest of Cato’s security services, which include next generation firewall (NGFW), secure web gateway (SWG), URL filtering, and malware protection. Cato IPS is the first to be integrated with a global SD-WAN service, bringing context-aware protection to users everywhere. Cato IPS as a Service Today’s IPS appliances are hampered by many factors. The increased use of encrypted traffic, makes TLS/SSL inspection essential. However, inspecting encrypted traffic degrades IPS performance. IPS inspection is also location bound and often does not extend to cloud and mobile traffic. And, appliances must be constantly updated with new signatures and software patches, increasing IT operational costs. Cato solves these problems with a managed and adaptive cloud-based IPS service that delivers advanced security everywhere with unlimited inspection capacity: Managed and Adaptive Cloud Service: The Cato Research Labs leverages big data insights derived from the Cato Cloud to update, tune and maintain IPS signatures without customer involvement. New signatures are validated on real traffic, which allows them to be optimized for maximum effectiveness before being applied to production, customer traffic. Advanced Security Everywhere: Internet and wide area network (WAN) traffic is scanned and protected for all branch offices and mobile users regardless of location. Unlimited Inspection Capacity: The Cato IPS has no capacity constraints, inspecting all traffic, including TLS traffic, today and in the future. Context-Aware Protection Beyond common protection for the latest vulnerabilities and exploits, Cato IPS uses a set of advanced behavioral signatures to protect against complex attacks by identifying suspicious traffic patterns. Leveraging the converged network and security cloud platform, Cato’s IPS has access to unique context across multiple domains typically unavailable to a standard IPS. The use of this context makes IPS signatures more accurate (reducing false positives) and more effective (reducing false negatives). The context attributes include: Layer-7 Application Awareness: The Cato IPS is application-aware, applying rules based on network services, business applications, and application categories. User Identity Awareness: The Cato IPS recognizes user identity based on Active Directory. Geolocation: Cato IPS can enforce customer-specific, geo-protection policies to stop traffic based on the source and destination country. User Agent and Client Fingerprinting: The Cato IPS identifies the sending client, such as a browser type or mobile device. True Filetype Inspection: A common attack vector is to mask executables attached to a message by changing the appearance of filename extensions. The Cato IPS identifies and block such threats by inspecting the data stream to determine the actual filetype. DNS Queries and Activation: By investigating the DNS stream, the Cato IPS can run heuristics to detect anomalies in DNS queries indicating a domain generation algorithm (DGA) or malware-related DNS queries. Domain or IP Reputation Analysis: In-house and external intelligence feeds enable the Cato IPS to detect and stop inbound and outbound communications with potentially compromised or malicious resources, such as domains and IP addresses that are newly registered or whose reputations are labeled unknown, suspicious, or malicious.   Cato IPS in Action The combination of functions allows Cato to spot threats efficiently and effectively. The recent WannaCry outbreak, for example, can be stopped by detecting malicious buffers indicative of the EternalBlue exploit used by WannaCry: The suspicious locations can be blocked by leveraging Cato’s geolocation restrictions: And with reputation analysis, Cato IPS can identify and prevent inbound or outbound communications with compromised or malicious resources: The Cato IPS has already been deployed within the Cato Cloud, protecting customers from infection. Upon deployment, the IPS detected several infected machines in one leading manufacturing company. The manufacturer relies on the Cato Cloud to connect and secure it’s three US locations, five international offices, and cloud instance. Cato IPS identified that the machines were communicating with a C&C server that is used to spread Andromeda bot malware. Details of the anti-malware event can be seen below: The SD-WAN of the Future. Today. Today’s users work everywhere and so must their wide area networks. But advanced security must be built into the network to securely connect locations, cloud resources, and mobile users. With Cato IPS and the rest of Cato’s converged security services, Cato inspects and protects against threats in WAN and Internet traffic without the administrative overhead, capacity constraints, or restrictions of standard security appliances. Combined with its private backbone, the Cato Cloud makes securely connecting your business simple — again.  

A leopard can’t change its spots: Why physical security appliances can’t move to the cloud

Palo Alto’s recent introduction of its firewall as a service (FWaaS), GlobalProtect Cloud Service, is the latest example of how firewall appliance vendors are moving... Read ›
A leopard can’t change its spots: Why physical security appliances can’t move to the cloud Palo Alto’s recent introduction of its firewall as a service (FWaaS), GlobalProtect Cloud Service, is the latest example of how firewall appliance vendors are moving to the cloud. Appliances are not aligned with the new shape of business that involves private and public cloud platforms and a mobile workforce needing fast access to business data from anywhere at anytime. By running security in the cloud, firewall as a service providers can better accommodate these business changes, in theory. Practically, neither the enterprise firewall appliances being adapted for FWaaS nor existing multi-tenant virtual firewall platforms adequately meet the needs of a scalable, reliable FWaaS.   Enterprise firewall appliances, even ones built for large enterprises, were never designed to serve multiple customers. As a result, scaling, resource segmentation and resource allocation become problematic. Even the multi-tenant firewall platforms currently marketed to providers are limited when it comes to capacity planning, scaling, and upfront capital expenses. By better understanding the architectural differences between firewall appliances and FWaaS cloud services, IT professionals will be better suited to select the approach that meets their needs today and tomorrow. The Cloud Is Different Expecting enterprise firewall appliances to perform like cloud-scale software is like expecting a convertible to have the durability of a tank. Enterprise firewall appliances, like any product, are purpose-built to meet specific requirements. FWaaS, and the cloud in general, have vastly different requirements. As with any cloud service, a FWaaS is used by multiple organizations, which makes multi-tenancy critical. Downtime becomes particularly pertinent with FWaaS as service outages impact provider revenue. The FWaaS must also be distributed by design so providers can easily expanding into new geographies. The Multi-tenancy Impact The obvious effect of supporting multiple customers is the need for greater scaling whether in terms of traffic loads or the sheer number of connections. Cloud platforms can scale to support globally distributed customers each with multi-gigabits of traffic, countless number of connections, and distinct rule sets. Enterprise firewalls were not designed to scale in that way. Scaling, though, is only part of the problem. Since enterprise firewalls are not designed for multi-tenancy, they do not provide resource segmentation between customers. Enterprise firewalls share all networks, objects, and firewall inspection rules between all functions in the system, and all functions use them for enforcement and inspection. One customer over-utilizing the appliance’s CPUs, memory, or network interfaces will impact other customers sharing those resources. Sharing the same user space particularly becomes a problem when activating advanced security capabilities. While basic firewall functionality is very efficient, advanced security requires more compute power and reduces the overall performance of the appliance.  Activating a firewall’s intrusion prevention system (IPS), data loss prevention (DLP), TLS inspection, or Quality of Service (QoS) enables user space processes for all traffic through the firewall, even if  a policy does not enforce it or a specific customer did not request the feature. What’s more, some leading enterprise firewalls optimize memory utilization by keeping a customer’s configuration in memory at run-time. They are able to do this, though, because single customer configuration is often small. With FWaaS servicing hundreds and thousands of customers, maintaining all customer configurations in memory would dramatically increase memory requirements and could degrade overall firewall performance. Another example, when an application establishes a connection through an enterprise firewall, the firewall scans all of the security rules in its security policy for a match. If no match is found, the firewall’s final rule, the cleanup rule, will drop the connection. With a single enterprise, the number of rules is comparatively limited. However, when enterprise appliances are used to build an FWaaS, all customers share the same security policy. With each customer creating hundreds rules, the firewall ends up having to scan tens of thousands of rules, significantly degrading its performance. More broadly, enterprise firewalls come with numerous legacy features and capabilities, such as dynamic routing, physical link separation, and integration with third-party services. These features and capabilities were designed for on-premise environments and are irrelevant for FWaaS, or worse, create a performance drag on the appliance. Management and Upgrades But it’s not just their performance limitations that make enterprise firewalls ill-suited as platforms for FWaaS offerings. It’s also how they handle administrative activities. Enterprise firewalls were designed for a few administrators making occasional policy changes. FWaaS offerings, though, may be simultaneously updated by hundreds of administrators across organizations. The concurrent policy modifications become a resource-intensive operation, one that was never part of the design of enterprise firewalls. Unexpected delays often occur as the enterprise firewall must implement all changes. Firewall software updates are also handled differently in the cloud than in the enterprise. FWaaS providers frequently update their services and expect to do so without any downtime or impact on the customer. FWaaS software services are allocated dynamically to customers, ensuring that service quality is not degraded as nodes are upgraded customers. Enterprise firewalls appliance were not designed to scale or to be managed in quite the same way. Platform-wide upgrades of the multiple systems comprising a firewall are not native to the architecture.  Updates need to be scheduled for maintenance windows. Resources are allocated and locked per customer, preventing efficient usage by multiple customers. In many cases, the compute power of an enterprise firewall is intentionally limited, as it was designed for a price-competitive market. Virtual Platforms and Cloud Appliances The logical answer for FWaaS providers would seem to be deliver multi-tenant security solutions, such as Fortinet’s Virtual Domains (VDOM).  These are physical appliances designed to run multiple virtual firewall instances. Providers can instantiate new firewalls easily and quickly for customers while avoiding the power, spacing, and cooling requirements that must be addressed in order to run racks of physical appliances. However, these multi-tenant solutions fail to create a full virtual environment for each customer system. A customer’s virtual firewall ends up competing with the other virtual firewalls for the memory and compute resources of the underlying appliance, making sizing and capacity planning particularly challenging. Scaling these solutions require large upfront investment. Expanding into new markets requires the installation and deployment of a hardware platform (two for high availability), complicating geographic expansion. Software Built for the Cloud To accommodate multiple customers on an enterprise firewall, vendors would need to re-architect the firewall appliance. They would need to adjust both the management and the enforcement points of the appliance. In most cases, the firewall vendor would need to rewrite the core capabilities of the appliance software to avoid policy management collisions between customers and deadlocks between multiple rules configured by different customers. Integration into each customer’s management platform, such as Active Directory or a SIEM, would also need to be upgraded. The enforcement function of firewall will need to adjusted to only apply to only the requisite customer’s traffic not all traffic. Otherwise, one customer enabling a new IPS signature, for example, would end up impacting the traffic of all customers. In reality, enterprise firewall vendors can’t easily adapt their appliances to become the basis of FWaaS. There are too many issues with core firewall operations that must be changed to meet the cloud’s requirements for multi-tenancy, scalability, and elasticity.  At the same time, existing multi-tenant solutions inefficiently share resources and require large upfront costs. Deploying them to new regions is costly and challenging. A FWaaS requires a new cloud-scale architecture that can enable the FWaaS provider to deliver  the necessary scalability, elasticity, and rapid deployment capabilities required to support today’s business.

How to Overcome Internet Problems with Cato’s Secure and Optimized SD-WAN Service

Let’s face it, MPLS for all of its high costs and long deployment times, did one thing right – it worked. You knew that the... Read ›
How to Overcome Internet Problems with Cato’s Secure and Optimized SD-WAN Service Let’s face it, MPLS for all of its high costs and long deployment times, did one thing right - it worked. You knew that the MPLS provider was going to engineer a network that could reach from Mumbai to Houston and work day-in-and-day-out. The same can’t be said though for the public Internet. The Internet is inherently unpredictable. Internet connections must cross the networks of many providers, each optimizing routing for its own interests. As providers exchange traffic, the risk of packet loss only grows. The Internet is a “best effort” system in the truest sense of the word. Within Internet regions, the differences between a “best effort” system and predictable transports are often less noticeable. Part of this has to do with the limited distances being covered. Much has to do with the density of the Internet buildout, allowing routing protocols to choose from many alternate routes.  But between Internet regions, the longer latencies and fewer routes make the Internet far less dependable as the basis of a global WAN. To better understand these issues and how Cato addresses them with its secure and optimized SD-WAN service, the Cato Cloud, watch this recorded webinar. Yishay Yovel, Vice President of Marketing at Cato Networks, explains Cato’s architecture and how it’s being used by three different customers. This webinar will go over: Why the public Internet is so unreliable How Cato architected its global cloud network Cato’s approach to global routing Three case studies of companies who selected Cato and why It’s a fast easy way to see how Cato can meet your company’s global WAN requirements. Watch it now here.

The MacGyver Experience: How Improvising with Cato Avoided Downtime

Backhoe operators, floods, fires – everyone has a horror story for when one of their offices went dark. In the days of MPLS, there wasn’t... Read ›
The MacGyver Experience: How Improvising with Cato Avoided Downtime Backhoe operators, floods, fires - everyone has a horror story for when one of their offices went dark. In the days of MPLS, there wasn’t much you could do when a service failed. Internet failover is a great idea, but only if you had thought about it ahead of time. Otherwise, an outage often meant lost productivity. Ahhh, how things have changed. With SD-WANs, branches configured with dual-homed connections can and often exhibit better local loop availability than MPLS. By running both lines in parallel (what’s called active/active), a brownout or blackout on one line simply means using the other ISP’s connection -  often without users even knowing.  So many customers tell us that they switched to SD-WAN simply to improve their uptime. Kind of ironic when it’s MPLS that comes with uptime guarantees. And then there are those who use SD-WAN’s flexibility to improvise on the spot, something they could never do with MPLS. Kind of like MacGyver saving the fate of the planet with duct tape. Here’s one such story that I received from a customer (edited for clarity): “There were huge outages in London the other day for customers of a local  Internet service.  Some 36 exchanges were affected in the North West London area. The cause was from major fibre damage. One of our offices was also affected, but instead of downtime we had quick work around. I  connected our Cato Socket to our PlusNet  service, which we normally use for WiFi. I  rebooted the Socket and, walla! Our site was back online. Worked like a dream.” Without being tied to a local loop provider, Cato users can grab whatever connection works best - xDSL, 4G/LTE, even cable. As long as they can connect to the Internet, they can connect with Cato. If you have your own “horror” story, we’d like to hear it. In return, we’ll send one of our cool, new Cato shirts to the first five respondents whose stories we run.  Simply email Kim White (kim@catonetworks.com) with a description of your horror story (<300 words) explaining: details of what happened the impact or potential impact on your and your business your “MacGyver” solution contact details, and, optionally, your twitter / social handle. All responses will be edited for clarity.

FWaaS or Managed Firewall Services: What’s the Difference?

There’s been a lot of hype around Firewall as a Service (FWaaS). At first glance, the hype seems misplaced. After all, managed firewall services are... Read ›
FWaaS or Managed Firewall Services: What’s the Difference? There’s been a lot of hype around Firewall as a Service (FWaaS). At first glance, the hype seems misplaced. After all, managed firewall services are certainly not new. But FWaaS is fundamentally different from a managed firewall service. Understanding those differences has significant implications for security and networking teams. We’ll analyze those issues in our upcoming “The Hype Around Firewall As A Service” webinar. The shift to FWaaS is being driven by a number of factors. Increasing SSL traffic volume puts pressure on firewall appliance processing capacity, often forcing unplanned upgrades. WAN infrastructure is also changing with adoption of SD-WANs. They require direct Internet access to minimize the latency of accessing cloud- and Internet-based resources from across MPLS services. However, most SD-WANs lack the next generation firewall, IPS, and the rest of the advanced security stack needed to protect the branch. FWaaS is a critical component to completing this vision. While managed firewall services have long been provided by service providers, managing discrete firewall appliances is vastly different than FWaaS. FWaaS offers a single logical firewall in the cloud that is available anywhere, seamlessly scales to address any traffic workload, enforces unified policy, and self-maintained by a cloud provider. Data centers, branches, cloud infrastructure, mobile users — every organizational resource plugs into the FWaaS and can leverages all of its security capabilities. During the webinar will walk through each of those issues and explain: The challenges IT networking, security, and operations teams face with distributed network security stack and Direct Internet Access How FWaaS can address these challenges, and what are the required capabilities How Cato Networks protects enterprises in the cloud, simplifies network security and, eliminates appliance footprint in remote locations This webinar will be held on July 12, 2017, at 1:00 PM ET and July 13, 2017, at 10am GMT+1. Click here to register now.

WannaCry II: How to Stop NotPetya Infections with the Cato Cloud

Just a little more than a month after WannaCry delivered the “largest” ransomware attack in history, the industry was reeling from it’s sequel, NotPetya. Like... Read ›
WannaCry II: How to Stop NotPetya Infections with the Cato Cloud Just a little more than a month after WannaCry delivered the “largest” ransomware attack in history, the industry was reeling from it’s sequel, NotPetya. Like WannaCry, NotPetya leverages the SMB protocol to move laterally across the network, an EternalBlue exploit attributed to the National Security Agency (NSA) and leaked by the Shadow Brokers hacking group last April. But the ransomware, a variant of the NotPetya ransomware discovered more than a year ago, significantly improves on WannaCry. First, NotPetya extracts user credentials from the infected machine’s memory using Mimikatz, an open-source tool. Using the harvested credentials, the malware employs the PsExec Microsoft utility and WMIC (Windows Management Instrumentation Command Line), a utilities bundled with Windows, to execute commands on remote machines. IT managers should take action to protect users and their networks even if they have already done so against WannaCry. All Windows-based machines should be updated, including industrial devices, such as ATMs, and Windows 10 devices. Detailed steps for protecting your network with Cato are provided below, including a video illustrating EternalBlue-based attacks. Inside The Attack While the source of the NotPetya campaign has been speculated, Microsoft now claims to have evidence that "patient zero" is MeDoc, a Ukraine-based software company. Attackers allegedly planted the malware in the company’s update servers. The company then erroneously distributed the malware as part of a software update. Ukraine was indeed the primary victim for this attack. Other attack vectors that were found in the wild are Microsoft Office documents armed with embedded HTAs (HTML Applications) that are designed to exploit CVE-2017-0199, first discovered in April 2017. Once the document is opened the HTA code executes and drops the malware to the attacked computer. The machine is then forced to reboot, encrypting the files and locking the computer.  Victims are asked to pay $300 to remove the infection (see Figure 1). A total of 3.8 Bitcoin (BTC), approximately $8,000, have been collected to date by NotPetya. Figure 1: Ransomware screen from a computer infected by NotPetya What You Can Do If machines have not already been updated, Cato Research recommends that all organizations update them. To protect the network, take the following actions: Use URL filtering to block malicious sites. Add a read-only file to user machines, preventing NotPetya from executing. Scan incoming files with anti-malware. Use IPS to detect and block incoming attacks. Do not attempt to pay the ransom. The mailboxes that were used by the attackers have been disabled by the email provider. It's also unlikely that paying the ransom will provide a decryption key (Figure 2).  Recent reports indicate that encryption key may randomized and therefore impossible to provide. Notify users that if their computer restarts abruptly to shut down immediately and alert IT. This way the malware will not be able to encrypt files and can be extracted by IT personnel. Figure 2: The email account used by NotPetya has been blocked. Use URL filtering to block malicious sites As was documented with WannaCry, URL filtering can minimize the attack surface available to NotPetya (Figure 3). Any malicious domain should be blocked, if not already done so. With Cato, malicious domain are blocked by default. Figure 3: IT should block access to malicious domain Add a Read-Only File to User Machines to prevent infection While WannaCry could be stopped by preventing the malware from communicating back to the C&C server, no such kill-switch exists with NotPetya. However, Amit Serper, a security researcher from Cybereason, has discovered that adding a read-only file to the C:\windows directory with the same name as the malicious DLL, perfc (without an application extension), disables the execution of the malware (Figure 4). Figure 4: Placing a file named perfc in the Windows directory will prevent installation of NotPetya in a machine. Scan incoming files with anti-malware Threat protection should also be enabled to scan every download and payload (Figure 5). With Cato’s anti-malware capabilities, customers are protected by blocking HTTP/S traffic containing NotPetya. Even if an email attachment contains NotPetya, the payload is still transferred across HTTP and will be blocked. Figure 5: Cato threat protection blocks infected files and messages Additional rules monitor for suspicious SMB traffic. To date, SMB traffic patterns pointing to the malware have not been detected on our network. The above actions should protect your organization against NotPetya. To see Cato security in action and how it defends against any EternalBlue attack, watch this video:

The Internet is Broken: Here’s Why

It’s become the favorite whipping boy of networking. The Internet is erratic. The Internet is unstable. The Internet is unsecure. But exactly what is wrong... Read ›
The Internet is Broken: Here’s Why It’s become the favorite whipping boy of networking. The Internet is erratic. The Internet is unstable. The Internet is unsecure. But exactly what is wrong with the Internet and can it be fixed? We dove into that question with our co-founder and CTO Gur Shatz in a recent eBook, “The Internet is Broken: Why Public Internet Routing Sucks.” You can read it for yourself here. Since the early days of the Internet, routers were shaped by a myriad of technical constraints. General purpose processors lacked the processing power, forcing router vendors to rely on custom hardware. To deliver line rate performance, packet processing was kept to a minimum and routing decision were moved to a separate process, the “control plane.” With the separation of the control and data planes, architects could build massively scalable routers. Compute resources became more than sufficient for high-speed packet processing. And yet “feedback” from the data plane to the control plane continues to be nominal, an anachronism from the early days of the Internet. A modern router has little insight into the packet flows — how long it takes to reach the next hop, the degree of congestion in the network, or the nature of the traffic being routed. To the extent that such information is available, it will not be factored into the routing decisions made by BGP, the routing protocol gluing the Internet together. MPLS services are not the answer. They’re too expensive and changes take too long for today’s business. Cloud and Internet performance suffer because of traffic backhaul, a common phenomenon in the way company’s architect their MPLS-based backbones.  Local loop availability is often an issue with the way MPLS implementation. The protocol also suffers from many of the same problems as BGP. There are measure that can be taken to address the problem, though. This eBook details those measures and explains how they address the limitations of the Internet and MPLS. To read, the eBook click here.

Opening Offices in China and Asia Pacific: Are You Ready to Be a Hero?

When street crime gets just a bit too much to handle in the Marvel Universe, the Defenders get the call. But when space aliens threaten... Read ›
Opening Offices in China and Asia Pacific: Are You Ready to Be a Hero? When street crime gets just a bit too much to handle in the Marvel Universe, the Defenders get the call. But when space aliens threaten global domination, the big guns are called in and it’s the Avengers that get to work.   Opening offices in the Asia Pac are a lot like that. New office in London or New York? No problem. That’s pretty much well understood. Pick from a half dozen providers. You know that one if not all of them will be working with a pretty solid cabling plant — or more likely fiber plant — to link up the office. Price will be affordable, of course, given the competition. Distances are shorts so latency and loss will usually be insignificant. Just find the provider with the right package. For those kinds of offices, any IT manager can take the billing. But build an office in China or the Asia Pacific and, well, that’s different story. ISP selection is more limited. Wiring infrastructure in many Asia Pacific countries are a step down from what you might see in Western cities, such as New York. Chinese regulations need to be understood and planned for. The sheer distance to and from China or anywhere in the Asia Pac will significantly impact throughput, making latency and loss performance critical. For those kinds of deployments, companies need more than just the average IT manager. They need the Iron Man of IT managers (or Black Widow, if you prefer). They need someone who understands the challenges of global backbones and knows how to solve them; a person who can deliver on reliable connectivity even into Hangzhou, Beijing, and any other Chinese city. And someone who knows how to deliver a secure, networking infrastructure without overburdening the branch office with hardware that will have to be shipped to the location (and be delayed in the process). Are you ready to be that kind of hero? We may not be able to give you an armored suit with super strength, but we can give you the smarts and tools to make opening an office in China or anywhere in the Asia Pacific a bit easier. Check out this eBook for more details.

Come Meet the Cool Vendor at InfoSecurity Europe

Gartner named Cato Networks as a “Cool Vendor” in its report “Cool Vendors in Security for Midsize Enterprises, 2017.”   The cool vendors highlighted in... Read ›
Come Meet the Cool Vendor at InfoSecurity Europe Gartner named Cato Networks as a “Cool Vendor” in its report “Cool Vendors in Security for Midsize Enterprises, 2017.”   The cool vendors highlighted in this report are those young vendors that offer a “disruptive combination of innovation and midsize enterprise suitability” for security in midsize enterprises. “Emerging vendors are disrupting security markets and successfully competing with established mainstream vendors that have not been able to engage directly with midsize enterprises (MSEs) or provide affordable products that can scale to their needs,” write Gartner analysts Neil Wynne, Adam Hils, Saniye Burcu Alaybeyi, and Tricia Phillips. The report suggests that IT leaders in MSEs responsible for security and risk management should  “Favor the selection of a product, when all else is equal, with a low total cost of ownership (TCO) that can be implemented, managed and supported with minimal IT resources.” Cato’s convergence of SD-WAN, Firewall as a Service and a global backbone allows for a radical reduction in the TCO of an IT operation. By replacing appliances with the Cato Cloud, companies eliminate the patching, forced upgrades, and troubleshooting  costs associated with next generation firewalls and other network security appliances. With a global SD-WAN based on an affordable, SLA-backed backbone, the Cato Cloud also tackles the high costs of MPLS. Cato allows for a massive rethinking of IT operations, if the customer wants. And that’s part of the genius of Cato, companies can adopt as much or as little of the service as necessary. Augment MPLS with the Cato Cloud. Eliminate firewalls at some sites, but not others. The Cato Cloud is that flexible. But don’t take our word for it, see Cato in action at the 2017 InfoSecurity Europe show in London this week and visit our booth M100. Cato Networks’ co-founder and CTO Gur Shatz presented at InfoSec in his Tech Talk titled, “Hybrid Cloud Secure Network Integration: Tips and Techniques.” To learn more about that session click here. Can’t get to London? You can always visit us online.

Rise of the UberNet

Achilles had his heel and Superman has his kryptonite. For SD-WANs, the Internet has been their weakness. The lack of a global, SLA-backed backbone leaves... Read ›
Rise of the UberNet Achilles had his heel and Superman has his kryptonite. For SD-WANs, the Internet has been their weakness. The lack of a global, SLA-backed backbone leaves SD-WANs unable to provide the consistent, predictable transport needed by real-time service and business-critical applications. As a result, SD-WAN adopters have remained chained to their MPLS services, paying exorbitant bandwidth fees just to deliver these core applications. But that doesn’t have to be the case. Now a new kind of inexpensive, high-quality, SLA-backed backbone is emerging, one that allows companies to finally overcome their MPLS dependency. These backbones use cloud intelligence and Internet economics  to seamlessly combine networking with advanced security at a fraction of the cost of  MPLS. We call these secured backbones the “UberNet.” The MPLS Problem To understand the value of UberNet, we need to understand why MPLS service pricing is so expensive. Part of that has to do with delivering a managed services, which requires more engineering and operations than unmanaged Internet service, but that’s not the full story. Market forces have been a big factor in impacting MPLS pricing. MPLS operators often had exclusive or near exclusive control over given regions. With limited competition, providers had little incentive to reduce their fees. What’s more building out an MPLS service required significant costs, costs that had to be passed on to customers. Redundant Provider Edge (PE) MPLS-enabled routers, switches, and other appliances were needed in each point-of-presence (PoP). Cables, fibers, or wavelengths on fibers were leased or purchased by carriers. Running that network meant suffering all of the rigidity enterprise IT managers have come to hate.  Bandwidth was still provisioned in the old T1/T3/OC-3 increments. Careful traffic engineering was necessary due to limited available bandwidth. Maintaining that kind of complex infrastructure, particularly to meet uptime and delivery guarantees, makes for an expensive operation. UberNet Architecture The UberNet uses a very different model. It’s built on the layered approach so effectively employed in IP networking. Rather than their own global infrastructure, service providers purchase or lease bandwidth, what are called “IP transit”  services, across existing Tier-1 IP backbones. With IP transit, providers avoid the sudden spikes in loss and latency found when providers exchange traffic for free (what’s commonly called “Internet peering”). IP transit services come with the same “5 9’s” availability and .1% maximum packet loss guarantees typical of MPLS services. The competition among backbone suppliers and the nature of IP minimizes costs. But no network is ever perfect  so to maximize performance and extend their reach, UberNet PoPs connect to multiple tier-1 backbones. A combination of an encrypted software-defined overlay across all backbones, application-aware routing, and the gathering of latency and loss statistics from each backbone allows the UberNet to select the optimum route network any application at anytime. As such, the UberNet can deliver better performance, uptime, and geographic reach than any one Tier-1 backbone. Redundancy is provided in two ways with the UberNet. Like any Internet service, the UberNet inherits redundancy from the existing Internet infrastructure.  Locations connecting to the UberNet, for example, are directed to the closest available PoP by DNS. This is an inherent feature of the Internet that we take for granted, but providing that kind of resiliency would require significant design work by the MPLS provider. In addition, UberNet code is fully distributed across commercial off-the-shelf (COTS) hardware. As distributed software, PoP components can take over for another in the event of a component failure. The same is true with the PoPs themselves. Should one PoP become unreachable for any reason, traffic is routed over to the other PoPs.  And by avoiding proprietary appliances, part sparing becomes a non issue. The use of COTS also helps with geographic coverage. Without having to ship proprietary hardware, providers can roll out PoPs far faster than with MPLS networks. COTS hardware (or the virtual equivalent) are the only requirement. No direct dependency exists between a customer’s location or users, and a particular provider resource.  Moving PoPs closer to customer locations, shortens the “last mile,” allowing the UberNet’s traffic steering and application-centric routing to optimize traffic. By connecting locations with diversely routed, fiber connections running business-grade Internet service, availability and performance is further improved. In fact, uptime can far exceed typical Internet connectivity and even MPLS local loop resiliency. (Read SD-WAN Experts blog for more information.) Built-in Security With more enterprise traffic going to the Internet, security needs to be an essential part of any service. Encrypting traffic in-flight is a small part of what’s necessary to protect the enterprise. Advanced threat protection services, such as next generation firewall (NGFW), intrusion prevention systems (IPS), and a secure web gateway (SWG) are needed to secure the enterprise perimeter and mobile users. The UberNet integrates advanced security services into its PoPs. And since UberNet is built on the Internet, any cloud resource, SaaS application, mobile user, and, of course, location that can connect to the Internet can connect and be secured by the UberNet. Unlike Any SD-WAN While CDN providers and others have built specialized services on the UberNet, general network and enterprise-grade security services are just starting to emerge. The first such service is the Cato Cloud. It fully converges security and networking services. By connecting to the Cato Cloud, customers no longer need firewalls, SWG, or any other security infrastructure to protect their locations, mobile users, or cloud resources. The Cato Cloud - it makes networking and security simple again. To read more about the UberNet, and how it is replacing MPLS, get our free white paper here.

WAN Survey: Be Wary of SD-WAN Complexity

We recently surveyed 350 IT professionals to learn about how their WAN requirements are evolving with the emergence of SD-WANs. Our thesis was as businesses... Read ›
WAN Survey: Be Wary of SD-WAN Complexity We recently surveyed 350 IT professionals to learn about how their WAN requirements are evolving with the emergence of SD-WANs. Our thesis was as businesses embrace clouds and hybrid clouds, a new set of WAN requirements being to emerge. Accessing the cloud and the Internet from remote locations becomes more important. There’s also a greater focus on cost and agility. Along the way we wanted to answer some fundamental questions including: Is SD-WAN replacing MPLS? What impact, if any, will SD-WANs have for network security? What features do enterprise customer want to see included in SD-WAN solutions? Have SD-WAN lived up to expectations? What we found painted a picture of cautious optimism for SD-WANs. There’s no question that companies are intrigued by the technology. The market is poised for 200% growth over the next 12 months, according to our research. At the same time, enterprises have their concerns. Education is still very much needed. SD-WAN adoption will also likely make IT more complex, increasing operational costs.Companies must now understand traffic flows both across their underlying transports and their virtual overlays. This kind of split-view can complicate troubleshooting. It also means that there will be a need for more infrastructure to manage. SD-WAN edge nodes and additional security appliances are necessary to allow direct Internet access from branch offices. Where equipment isn’t deployed, additional provider relationships must be forged and managed. Policy and management becomes far more complex in this new era of virtual networks. All of which is why Cato has sought to make network and security simple again. By converging five critical functions — SD-WANs, network optimization, MPLS-like networking, mobile access, and advanced security — into the cloud, Cato helps companies avoid the inherent complexity introduced by SD-WAN devices. To read the survey results in full click here >>

InfoSecurity Europe: How to Build a Hybrid Cloud

Considering or struggling with building a hybrid cloud? We might have the answer. At the upcoming InfoSecurity show in London, our co-founder and CTO, Gur... Read ›
InfoSecurity Europe: How to Build a Hybrid Cloud Considering or struggling with building a hybrid cloud? We might have the answer. At the upcoming InfoSecurity show in London, our co-founder and CTO, Gur Shatz, will provide practical tips on how to build and secure hybrid clouds at his session “Hybrid Cloud Secure Network Integration: Tips and Techniques.” The hybrid cloud lets IT professionals take advantage of cloud economics, but also creates numerous challenges. The inconsistency between the tools for managing and securing physical and cloud datacenters eliminates the “single pane-of-glass” for our networks. This lack of visibility creates problems of control in many areas.  For the user, applications may become less responsive when running in the cloud. Accessing those applications also becomes more frustrating. Users must often connect and disconnect to use applications in different datacenters. Gur will explore the underlying issues complicating hybrid cloud deployments. He’ll evaluate the different solutions and tradeoffs. He’ll also provide insights into how attendees can better evaluate the security mechanisms in AWS and Azure, commercial firewall products, and emerging options. During the session, attendees can expect to better understand: the challenges involved in securing and building a hybrid data center how to interconnect all critical elements, including physical locations and mobile users the tools and capabilities available for building a secure, hybrid cloud datacenter the pros and cons of the various technologies and the resulting network topologies As Cato’s CTO, Gur was instrumental in building out the Cato Cloud, Cato’s global network. The Cato Cloud  connects physical datacenters and cloud datacenters, providing seamless access to users in company locations and mobile users. He’ll share insights from his extensive practical experience interconnecting public cloud with private datacenters in his talk. The presentation will take place on Tuesday, June 6, 2017 at 12:40 pm GMT. You can learn more about the event here.  If you miss the talk or would like meet the Cato team, book a meeting with us or swing by booth, M100.

HackerNews Finds Cato Cloud to be a “Huge Benefit” for IT Professionals

IT professionals have better things to do than worry about configuring granular firewall rules or racing to patch systems before they fall victim to the... Read ›
HackerNews Finds Cato Cloud to be a “Huge Benefit” for IT Professionals IT professionals have better things to do than worry about configuring granular firewall rules or racing to patch systems before they fall victim to the new WannaCrypt breakout. Getting to more strategic projects is often impossible, though, with those day-to-day emergencies. We’ve been saying that by converging networking and security into the cloud, Cato eliminates those headaches. Now TheHackerNews, a leading security portal, proved that point with its recent hands-on review of the Cato Cloud. “Cato takes care of the infrastructure for you. That is a huge benefit for busy and understaffed IT professionals,” writes Mohit Kumar, founder and CEO of TheHackerNews. What He Tested Kumar evaluated the Cato Cloud across four areas - provisioning, administration, access, and security. Provisioning new users is always a challenge in complex, hybrid network. Kumar wanted to see what the experience would be like when using the Cato Management Application (CMA). For administration, Kumar at the granularity, simplicity, and efficiency of day-to-day operations by configuring and changing access and security policies across locations. Connectivity involved connecting to resources on-premises and in cloud datacenters. Normally, users to connect directly to resources in the cloud. With hybrid clouds, users end up having to connect and reconnect every time they want to access resources in a different cloud. Kumar looked at how Cato impacted this whole experience. Security is particularly important for SD-WANs. Branch offices should be equipped with direct Internet access for the best performance using an SD-WAN. But direct access to the Internet increases network risk. As such, Kumer evaluated Cato’s ability to replace on-premises firewall. The Findings “We were really impressed by the simplicity and speed of migrating an on-premise network and security infrastructure to the Cato Cloud,” writes Kumar. “The administration is easy and intuitive, and we found the end user experience to be simple for both setup and ongoing management of connectivity and security. But probably the most compelling feature is the relief Cato provides by eliminating the need to run distributed security appliances.” You can read the review in full here.

How to Stop WannaCrypt Infections with the Cato Cloud

What’s being called the “largest” ransomware attack in history and an “audacious global blackmail attempt,” WannaCrypt broke out Friday evening. In a matter of hours,... Read ›
How to Stop WannaCrypt Infections with the Cato Cloud What’s being called the “largest” ransomware attack in history and an “audacious global blackmail attempt,” WannaCrypt broke out Friday evening. In a matter of hours, the ransomware has swept across 45,000 computers in 74 countries. Like many ransomware attacks, WannaCrypt leverage phishing as an attack vector. But what makes the attack so unusually virulent is how it exploits a vulnerability in the Windows SMB protocol. SMB is used by Windows machines for sharing files and the ransomware uses SMB to spread to other vulnerable devices on a network. IT managers should take immediate action to protect their users and networks against the ransomware, whose technical name is WCry and has also been referenced by names such as WannaCry, WanaCrypt0r, and Wana Decrypt0r. All Windows-based machines should be updated including industrial devices, such as ATMs, and Windows 10 devices, which were not targeted, by the attack. Detailed steps are provided below. Attack Vectors What’s particularly interesting about WannaCrypt is that it uses an “EternalBlue,” an alleged NSA attack that was leaked last month. EternalBlue exploits the vulnerability in Server Message Block (SMB) version 1 (SMBv1) protocol to spread between machines. More specifically, the attack exploits a vulnerability in the way an SMBv1 server handles certain requests.  By sending an SMBv1 server a specially crafted packet, an attacker could cause the server to disclose information and, at its worst, allow for remote code execution. Once installed, the ransomware encrypts the files on the machine. Victims are asked to pay $300 to remove the infection (see Figure 1). Some WannaCrypt actors are also dropping “DoublePulsar” onto the machines. DoublePulsar is a "malware loader" used by attackers to download and install other malware. [caption id="attachment_2741" align="alignnone" width="685"] Figure 1: Sample WannaCrypt screen[/caption] The attack was thought to be mitigated by a “killswitch” discovered by a security researcher last week. The security researcher registered a domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com) called by the malware. Seeing a registered domain, the malware stopped its operation. IT managers should remain vigilant, though. The threat could be easily changed to use a different domain. To date, no such variant has been found, despite earlier claims to the contrary. What You Can Do Cato Research recommends that all organizations update their Windows machines (including those running XP and other, unsupported Microsoft versions). Due to the scale of the attack, Microsoft took the unusual step of releasing a patch for older, unsupported Windows versions. The  Microsoft Research team says Windows 10 customers were not targeted by the attack, but the operating system is still vulnerable and should be updated. In the near term, Cato customers should take four actions until they are certain all systems have been updated and the attack subsides: Use URL Filtering to stop phishing efforts. Disrupt WannaCrypt communications with the Internet Firewall. Scan incoming files with Threat Protection. Cato customer can stop the phishing vector by immediately enabling URL filtering (Figure 2) and configuring application control policies. Any unknown domain access should be blocked until all systems are updated and attack is over, which is likely to last another week or so. [caption id="attachment_2759" align="alignnone" width="1200"] Figure 2: IT should block access to unknown domain by enabling URL filtering in Cato[/caption] Application control should be used to block access to TOR nodes, preventing the malware from communicating back to the C&C server (Figure 3). [caption id="attachment_2757" align="alignnone" width="1200"] Figure 3: By configuring Cato’s Internet Firewall to block TOR traffic, IT managers disrupt communications back to C&C servers.[/caption] Threat protection should also be enabled to scan every download and payload (Figure 4). [caption id="attachment_2760" align="alignnone" width="1200"] Figure 4: Cato threat protection blocks infected files and messages[/caption]   Read more about 'How to Stop NotPerya'

Service Insertion and Service Chaining Defined

Service insertion refers to the adding of networking services, such as firewalls or load balancers, into the forwarding path of traffic. Service chaining builds on... Read ›
Service Insertion and Service Chaining Defined Service insertion refers to the adding of networking services, such as firewalls or load balancers, into the forwarding path of traffic. Service chaining builds on service insertion, allow the linkage of multiple services in a prescribed manner, such as proceeding through a firewall then an IPS, and finally malware protection before forwarding to the end user. Within the datacenter, Layer-2 (L2) and Layer-3 (L3) approaches have been used to varying degrees for service insertion. SD-WANs bring SDN principles of service insertion to the wide area network. Layer-2 Service Insertion With flat networks, services can be inserted by bridging together two VLANs, such as with VLAN chaining. When users are in VLAN 1, for example, they can readily access the servers in VLAN 1. If we’d like to insert a local firewall for a group of stations, for example, we can group those stations into a separate VLAN. The traffic from VLAN 2 will be intercepted by the switch and sent to the service being inserted, in this case a firewall, for forwarding onto VLAN2. There are several problems with such an approach. Forwarding traffic based on VLAN tags means that it becomes very difficult to insert the service for some users and not others in that VLAN. It’s impossible to apply the service based on individual applications. Finally, spanning tree loops and other network issues can disrupt the network. Layer-3 Service Insertion With L3 service insertion, network services in the datacenter are inserted at the router. Instead of chaining VLANs, service insertion is done with subnets and virtual route forwarding (VRF). Users in Subnet #1 send traffic to their router that does an L3 lookup and forwards packets to the servers in Subnet #2.  To direct some users to a firewall service, for example, a route policy on the router would forward traffic to Subnet #3.  The firewall would apply the necessary policies and route the traffic (assuming it’s permitted) back to the router on subnet #4 for delivery onto the server in subnet #2. Such an approach is common in many datacenters. Virtual route forwarding (VRF) is typically enabled with a VRF for one side of the router (Subnet .#1 in this case) and a VRF on the other side of the router (VRF #2). L3 service insertion address the challenges of L2, but poses it’s own challenges. All traffic must pass through the firewall, creating scaling issues. The architecture becomes more complicated as well when the service being inserted is not physically near the forwarding path. SD-WAN Service Insertion With SD-WAN service insertion, the resource is located in another location on the SD-WAN overlay.  Implementations will vary but in general the availability of a resource is advertised to the nodes on the SD-WAN. Policies are created identifying the traffic to be forwarded to the resource and pushed out to the SD-WAN nodes. As traffic enters the SD-WAN, the nodes identify the traffic, looks up the forwarding policy, and directs the data to the tunnel associated with the proscribed resource. The SD-WAN node on the receiving end sends the traffic to the defined resource(s) before forwarding onto the destination.  Traffic inspection and security enforcement is applied by the shared resources, in this case an IPS, and the traffic is forwarded onto the Internet. SD-WAN service insertion allows for the sharing of resources, which might otherwise not be available to some offices. However, bringing the traffic to the resource may be infeasible in some WAN architectures due to the distances and resulting latency between the locations.

4 Tangible Reasons for Considering SD-WANs

With any new technology there’s “fake news” and SD-WANs are no exception. It’s true, SD-WANs probably won’t reduce your WAN costs by 90 percent or... Read ›
4 Tangible Reasons for Considering SD-WANs With any new technology there’s “fake news” and SD-WANs are no exception. It’s true, SD-WANs probably won’t reduce your WAN costs by 90 percent or make WANs so simple a 12-year old can deploy them.  But there are plenty of reasons to be genuinely excited about the technology -- and we’re not just talking about cost savings. Often these “other” reasons get lumped into the catechisms of greater “agility” and “ease of use,” but here’s what all of that really means. Align the Network to Business Requirements When organizations purchase computers for employees we try to maximize our investment by aligning device cost and configuration to user function. Developers receive machines with fast processors, plenty of memory, and multiple screens. Salespeople receive laptops and designers get great graphics adapters (and Apples, of course).   SD-WANs allow us to do the same with the WAN. We can maximize our WAN investment by aligning the type of connectivity to business requirements. Connectivity can be tweaked based on availability options, types of transport, load balancing options, and more. Examples include: Mission critical locations, such as datacenters or regional hubs, can be connected by active-active, dual homed fiber connections managed and monitor 24x7 by an external provider -- and with a price tag that approaches MPLS.   At the other extreme, small offices or less critical locations can be connected with a single, xDSL connection for significant savings as compared against MPLS. Short-term connections can be set up with 4G/LTE and, depending on the service, mobile users can be connected with VPN clients. All governed by the same set of routing and security policies used on the backbone.  By adapting the configuration to location requirements, we’re able to improve our return on investment (ROI) from SD-WANs. Easy and Rapid Configuration For years, WAN engineering has meant learning CLIs and scripts, mastering protocols like BGP, OSPF, PBR, and more. It was an arcane art and CCIEs were the master craftsman of the trade. But for many companies, managing their networks in this way is too expensive and not very scalable. Some companies lack the internal engineering expertise, others have the expertise, but far too many elements in their networks. SD-WANs may not make WANs simple, but they do allow your networking engineers to be more productive by making WANs much easier to deploy and manage The “secret sauce” is extensive use of policies. Policy configuration helps eliminate “snowflake” deployments, where some branch offices are configured slightly differently other offices. Policies allow for zero-touch provisioning and deployment Policies also guide application behavior, making it easier to deliver new services across the WAN without adversely impacting the network.  With an SD-WAN, you really can drop-ship an appliance to Ittoqqortoormiit, Greenland and have just about anyone install the device. Limit Spread of Malware SD-WANs position the organization to stop attacks from across the WAN. The MPLS networks that drive most enterprises were deployed at a time when threats predominantly came from outside the company. Security meant protecting the company’s central Internet access point and deploying endpoint security on clients. Once inside the enterprise, though, many WANs are flat-networks with all sites being able to access one another. Malware can move laterally across the enterprise easily, as happened in the Target breach that exposed 40 million customer debit and credit card accounts. SD-WANs  start to address some of these challenges by segmenting the WAN at layer three (actually, layer 3.5, but let’s not get picky) with multipoint IPsec tunnels. The SD-WAN nodes in each location map VLANs or IP address ranges to the IPsec tunnels (the “overlays”) based on customer-defined policies. Users are limited to seeing and accessing the resources associated with that overlay.  As such, rather that being able to attack the complete network, malicious users can only attack the resources accessible from their overlays.  The same is true with malware. Lateral movement is limited to other endpoints in the overlay not the entire company. Don’t Sweat the Backhoe As much as MPLS service providers manage their backbones, none of that would protect you from the errant backhoe operator, the squirrels, or anyone of a dozen other “mishaps” that break local loops. Redundant connections are what’s needed. With MPLS that would normally mean connecting a location with an active  MPLS line and a passive Internet connection that’s only used for an outage. Running active-active is possible, but can introduce routing loops or make route configuration more complicated. Failover between lines with MPLS is based on DNS or route convergence, which takes too long to sustain a session. Any voice calls, for example, in process at the moment of a line outage will be disrupted as session switch onto a secondary line. With SD-WANs use of tunneling, running active/active is not an issue. The SD-WAN node will load balance the connections, maximize their use of available bandwidth. Determination to use one path or another is driven by the same user-configured traffic policies that drive the SD-WAN. Should there be a failure, some SD-WANs can failover to secondary connections (and back) fast enough to preserve the session. The customer’s application policies continue to determine access to the secondary line with the additional demand. Bottom Line Conventional enterprise wide area networks are a hodge podges of routers, load balancers, firewalls, next generation firewalls (NGFW), anti-virus  and more. SD-WANs change all of that with a single consistent policy-based network, making it far easier  configure, deploy, and adapt the WAN. As SD-WANs adapt to evolve and include security functions as well, the agility and usability of SD-WANs will only grow.   This article was originally published on the IBM blog.

The WAN Survey: Learn From Your Peers

How will SD-WANs impact your business? Find out when you participate in our annual state of the WAN survey. The survey evaluates satisfaction levels and... Read ›
The WAN Survey: Learn From Your Peers How will SD-WANs impact your business? Find out when you participate in our annual state of the WAN survey. The survey evaluates satisfaction levels and adoption rates of new wide area network (WAN) technologies, such as SD-WAN. Participants provide insight into how their organizations are: Adapting to the changes in the WAN Accommodating mobile users Evaluating their WANs. The survey is open to everyone. Even if you have not deployed an SD-WAN, we want to hear from you. You can take the survey here! All participants will receive a report based on the final survey results and have the opportunity to join our new research panel. They will also be eligible for drawing of the Bose Wave SoundTouch Music System! Take this survey now >

What’s Wrong with a Digital Geneva Convention?

Listening to the calls for “vendor cooperation” and “to come together” from the RSA show last month was exciting, even invigorating, but I suspect for... Read ›
What’s Wrong with a Digital Geneva Convention? Listening to the calls for “vendor cooperation” and “to come together” from the RSA show last month was exciting, even invigorating, but I suspect for those in the trenches of security, something a bit more practical is necessary.  And what better place to find those practical advice than the oracle of all wisdom -- mom. See, when I and my sister were a bit older than tots, we carried on that age old tradition of sibling fights. And my mother, like all good mothers, would calm us down and encourage us to “kiss and make up.” Sound wisdom, but not for the reasons she thought. I don’t know about you, but the mere thought of kissing my sister when I was a 10-year old was enough to drive me batty; I’m pretty sure she felt the same.  We had a far better approach to our struggles -- yell, shout and bash each others brains (figuratively, of course) until the other would submit. Right? Probably not. Effective? You bet. Geneva of a Digital Age Sibling struggles might sound trivial compared to organizational security, but the answer to both predicaments is not all that different.  Enlightened collaboration, unfortunately, is a rarity. Usually, collaboration, whether between children or nation states, occurs when neither party can “win” and both recognize there’s more value in cooperating than fighting. Which is why the call by Microsoft’s president Brad Smith for a digital geneva convention to protect users from nation states strikes me as noble, but Chamberlain-esque attempt to stop cyber warfare. Smith noted in his keynote that the lack of international norms guiding nation state behavior on the Internet has led us into dangerous territory where nation states take action against civilians. The hacking of the US presidential elections is the latest example, but hardly the first. The massive hack of Sony’s PlayStation Network (PSN) in 2014 was also widely seen as a revenge attack by North Korea against Sony. In both cases, you and I were the ones left impacted . "What we need now is a digital Geneva convention for cyberwar” said Smith. He pointed out how the  Red Cross was created in 1949 to protect civilians in times of war. “A new kind of Red Cross is  needed, one to protect civilians at time of cyber war. We should protect customers everywhere and never allow or support anyone to attack them.” And what better place to start protecting civilians than in their home. In the subsequent keynote, Christopher Young, senior vice president and general manager of Intel Security, argued that while many focus on the cloud as the next threat vector, he saw the home as the next frontier. It’s not just that our users increasingly work from the home. It’s also that homes house new, more powerful devices that are being used to launch attacks against us. The Mirai botnet that launched the DDOS attack DYN’s DNS, for example, used home routers, cameras and other IOT devices. The botnet still exists and is actively recruiting computers.  Helping to secure the home and its devices against botnets like Mirai, helps protect the enterprise from attack. And lest you think DYN attack was an anomaly,  Young showed the result of a little experiment Intel ran. His CTO wanted to know the risk of new devices being recruited for a Mirai attack. So the Intel team dropped a DVR honeypot onto the Internet. Within seconds the DVR was recruited by Mirai botnet from across the globe, no less.. For years we tried to protect our devices and assets from attack, but increasingly it’s our devices and assets that are being used to attack us. Our increasing reliance on big data analytics, for example, means that we need to pay attention to small “bad” data being inserted into our decision making process. Whether it’s “fake news” in an election or skewed results in a dataset, manipulating data can undermine our decision making process.  “The devices we protected have become weapons for attacking us,” said Young, “The target is now the weapon.” Treaties Are Not The Answer As much as I want nation states to honor a treaty on cyber activities, I’m about as confident as the success of such an agreement as two 10-year old agreeing not to fight -- until the next time. If North Korea or Iran are willing to risk war with strategic weapons test why would we think they would be any more willing to abide by an agreement to cease cyber hostilities? Smith’s analogy to the the Fourth Geneva Convention is telling. It was inspired by the public’s horror over the crimes committed towards civilians during the Second World War. At the surface  that sounds like our situation today: we’re collectively concerned about the impact cyber warfare may everyone’s lives. But what Smith did not mention was that the Fourth Geneva Convention only came about after we won the war and decimated our enemies. Only then could we create a new article in the Convention. By the same logic, we must once again win the war against our enemies before we can hope to rewrite the ground rules of cyber defense. And let’s not forget that as much as we would like to focus on cyber warfare from nation states, they’re not the only source of our problems.  We can’t ignore the fact that so many of the cyber attacks we’ve faced are criminally not politically motivated.  In his keynote, David Ulevitch the founder of OpenDNS and vice president of Cisco’s Security Business Group, pointed out how the San Francisco Transit Agency was hit with ransomware attack not from from nation state but by a random commodity ransomware from an attacker only with a script. A digital geneva convention will not address these sorts of attackers. So I applaud Smith efforts and enthusiastically encourage the information sharing and collaboration Young went onto to highlight in his keynote. But at the risk of the raining on the parade, I think we have to ask ourselves, how are small to medium enterprise (SMEs) often with limited budgets and in-house engineering expertise, how are they going to protect their users,  today? Tactical Steps At least part of the answer can also be found in the keynotes.  During his keynote, Dr. Zulfikar Ramzan, the chief technology officer at RSA, highlighted the importance of simplifying your security infrastructure.  “I was talking to one chief information officer who has 84 security, 84. How do you manage all of those vendors? How do you justify a return on investment for each one of those vendors? You can’t. Consolidate your vendors,” he encouraged. Ramzan wasn’t alone in pointing out  what we already know to be the crux of so many of our security problems - networking and security complexity. Our penchant for solving networking and security challenges with best-of-breed appliances has undermined the very infrastructure we sought to improve. “Our security works in silos, "the silo problem," as Ulevitch put it. "We have 50 security devices in our network that’s causing complexity." Each new appliance we add to our networks becomes one more bit of that complexity problem.  So often conversations about appliances reduces down to the capital costs. But over the longer term capital costs are (relatively) insignificant to the larger costs incurred with new appliances. In fact, even if appliances were free deploying them would not be a good idea. Visibility becomes more fragmented; troubleshooting proportionately more difficult. As more appliances enter the fray, IT has more devices to maintain, patch, and upgrade as attack vectors evolve. Heterogeneous networks have given us buying potency, but operational impotency. We can purchase from many vendors, but in so doing we constrain IT visibility and agility. Simplifying Networking and Security in the Cloud Integrating security appliances is the common approach touted by large security vendors, but that only perpetuates the sizing and scalability problems inherent in appliances. The resulting architecture ends up being too expensive and unpredictable for many organizations. The more devices that NAT, the more end-to-end encrypted sessions we run, the less visibility we have into our traffic. The answer - we at Cato  believe - is to remove the complexity from the equation. Network+Security as a Service (N+SaaS) moves all security, routing, and policy enforcement into a multi-tenant cloud service built on a global, privately-managed network backbone. Gone are the separate networks and myriad of networking and security appliances that brought complexity to the enterprise. Instead of  a wide area network for connecting offices, a mobile Internet infrastructure for mobile user, and the Internet connections for cloud access - organizations should collapse their networks onto one, high-performance network. Rather than routers, WAN optimization appliances, firewalls and the rest of the security stack in each office, enterprises should shift their networking and security stack into in what Ulevitch called “the secret weapon” of the enterprise - the cloud. By properly leveraging the cloud, SMEs can adapt, iterate, and fix problems far faster than  what was possible on the premises. The costs of running an advanced defense -- threat intelligence, advanced security expertise, and more -- become a service provider problem, amortized across many companies. “The cloud gives us  unlimited compute, storage, analytics,” he said, “ In the past the bad guys had unlimited resources and unlimited time while we, the good guys, couldn't match that. Today the cloud opens a new opportunity and we can use to overcome the attackers.” With one ubiquitous networking and security cloud resource, we eliminate the complexity exploited by attackers. With networking and security integrated together in the cloud, we’ve positioned the kind automated, intelligent defense long sought after by IT. That’s how we defend ourselves and that’s how we start to defeat the scourge of cyber warfare.

Cato Research Decrypts the News Behind February Security Events

Witnessing the first SHA-1 collision was pretty heady stuff, but it’s not the only security event of note last month. Cato Research Labs identified a... Read ›
Cato Research Decrypts the News Behind February Security Events Witnessing the first SHA-1 collision was pretty heady stuff, but it’s not the only security event of note last month. Cato Research Labs identified a number of attacks, threats, and bugs introduced in February that you need to defend against. Here they are with insights and recommended steps from our research team. Windows SMBv3 Denial of Service Zero-Day One issue that was not covered widely in the news is a zero-day attack discovered in Microsoft Windows SMBv3, the popular enterprise protocol for file and printer sharing. The Tweet about the attack pointed to a proof of concept (POC) published on GitHub. The POC was able to generate the so called “ Blue Screen of Death” on Windows clients that connects into a compromised SMB server. It was unclear if this may also lead to remote code execution (RCE). Vulnerabilities in SMB servers should be treated very seriously. If attackers compromise an SMB server in the organization, they can exploit SMB vulnerabilities as part of wider lateral movement. For instance, they could launch a denial of service (DOS) attack on the entire organization or remotely execute code on endpoints in the organization. Organizations can best protect themselves by inspecting interbranch SMB traffic with an IPS. See SANS for more information. F5's Big-IP leaks little chunks of memory As we reported earlier in the month, F5’s Big-IP leak underscored the risks of relying heavily on security appliances. The bug in F5 Big IP virtual server allows a remote attacker to leak a small piece of uninitialized memory by sending a short TLS session ticket. As mitigation, organizations were encouraged to disable the feature that caused this bug. See our post for more information. Hacked RSA rogue access points not a serious threat News that multiple access points were hacked at last month’s RSA security show grabbed headlines. But Cato researchers found the attack poses little risk to most corporate users. The attack showed how attackers could impersonate a known wireless network by intercepting the SSID a user’s device discloses when searching for a WLAN. With a spoofed WLAN, the attackers can see the traffic traversing their sites as well as modify the HTML and the JavaScript contained in HTTP requests  Most Internet traffic from small to medium enterprises (SMEs) mobile users is encrypted either by the company’s VPN or by HTTPS. As such, the most critical information - usernames and passwords, are secured.  Don't fall for "font wasn't found" Google Chrome malware scam Last month researchers at Neosmart identified a social engineering attack against Wordpress sites. The attackers compromised many Wordpress sites, exploiting the latest Wordpress "content injection" vulnerability. The vulnerability allowed the attackers to inject malicious Javascript that scrambled the web page text, making the end-user think they have a font problem. At the same time, they ask users to download a font package (an executable) that turns out to be malware. Wordpress owners should check they do not use Wordpress version 4.7.0 or 4.7.1 and, if so, they should update to Wordpress version 4.7.2. They should also consider turning on WordPress auto-updates to help prevent future problems. They can know if their sites has been compromised by looking in the web access logs for attack patterns, such as "/wp-json/wp/v2/posts/1234?id=" Organizations may already be able to protect themselves and their users with their secure web gateway (SWG). URL filters using reputation services who detected compromised Wordpress sites may already detect this kind attack. Organizations should also deploy anti-malware that inspects downloaded executables. See this post for more information about the social engineering scam.  SHA-1 collision is only made worse by Google’s countdown clock Google researcher’s set the industry on fire with the first publication of a Secure Hash Algorithm 1 (SHA-1) cryptographic hash collision. SHA-1 plays a critical role in much of today’s IT infrastructure. The algorithm allows, among other things, unique identification of datasets, which is used by file reputation and whitelisting services, browser security, and more. Having datasets hash to the same SHA-1 digest (what’s called a “collision”), undermines the safety of the algorithm. Attackers could potentially create a malicious file with the same hash as a benign file, bypassing current security measures. We wrote extensively about the collision in a recent Dark Reading article, expressing concern over how Google researchers were handling the news. As we explain, we felt that too much code was being released too early into the public domain given the scale of the problem.   See the article for further details and how enterprise can best protect themselves. Cloudbleed: The bug that showed the power of the cloud The industry was reminded last month about how fast cloud security providers can fix problems. Project Zero research, Tavis Ormandy, identified a security problem in the edge servers of Cloudflare, a CDN provider that hosts many major services, including bitcoin exchanges.  He was seeing corrupted web pages being returned by some HTTP requests. The so called “Cloudbleed” problem (named because of its similarity to the Heartbleed bug that affected many web servers in 2014) was triggered by a HTML parser Cloudflare rolled out in their service. The new piece of code triggered a latent bug, which leaked uninitialized pieces of memory containing private information, such as HTTP cookies and authentication tokens. Cloudflare addressed the problem in less than an hour by disabling the features that was using the new parser. By contrast, HeartBleed , which although patched relatively quickly, still lingers because customers fail to upgrade their servers. Three years after Heartbleed was first introduced,  200,00 servers remain vulnerable. Cloudflare customers aren’t completely off the hook, though. Since the new parser was activated in Sep 2016, private data is still cached in search engines and cache services. Cloudflare has been working with search engines to remove the cached memory. Services using Cloudflare, such as Bitcoin, have turn issued a security warning to their users encouraging them to change their passwords and update or move to two-factor authentication (2FA). Organizations using Cloudflare should do the same. See this post for more information.

How To Migrate to a Multi-Cloud Deployment

As cloud migration becomes the norm for IT, enterprises of all sizes need to connect, secure and manage complex physical and cloud-based datacenters. What challenges... Read ›
How To Migrate to a Multi-Cloud Deployment As cloud migration becomes the norm for IT, enterprises of all sizes need to connect, secure and manage complex physical and cloud-based datacenters. What challenges will you face and how will you address them? Join us on our upcoming webinar, “Multi-Cloud and Hybrid Cloud: Securely Connecting Your Cloud Datacenters” as Hal Zamir, vice president of infrastructure for Spotad, explains how he delivered a global, multi-cloud, cloud network to enable Spotad’s self-learning, artificially intelligent mobile advertising technology. During the webinar Zamir will speak about: The connectivity and security challenges Spotad faced with its multi-cloud deployment. The approaches Spotad considered - and rejected. The three-step process Spotad went through when connecting its global organization to multiple, multi-region AWS VPCs. Zamir will be joined by Ofir Agasi, director of product marketing at Cato Networks. Agasi will bring real customer examples showing how they extended their legacy WANs using a secure cloud network to include cloud infrastructure and enable global user access. Migrating to the cloud is a significant challenge for most organizations especially when the migration involves multiple datacenters, mobile users and remote locations. Ensuring secure access to cloud assets with legacy networks often leads to two choices -- backhauling cloud traffic to a central Internet access point or sending cloud traffic directly onto the Internet. The former leads to trombone routing that degrades the user experience and the latter leads to  security point solutions with fragmented policy and no real visibility and control.  Zamir and Agasi will discuss a third alternative that suffers from none of these problems. Read more on Hybrid cloud networking

Four Questions For Life After MPLS

Anyone who’s purchased MPLS bandwidth has experienced the surreal. While at home you might spend $50 for a 50 Mbps Internet link, MPLS services can... Read ›
Four Questions For Life After MPLS Anyone who’s purchased MPLS bandwidth has experienced the surreal. While at home you might spend $50 for a 50 Mbps Internet link, MPLS services can cost 10 times more for a fraction of the bandwidth.  SD-WANs promise to address the problem, of course, but even as an SD-WAN provider we can tell you that SD-WANs may not be right choice for everyone. So much depends on how you answer certain questions about your business, the resources available, and your networking requirements.  It’s why we put together a checklist (humbly called “The Ultimate Checklist”) for figuring out whether you should stick with MPLS or consider an SD-WAN. Start by addressing the core questions to know if the Internet can play a role in part or entirely as your next backbone. The questions break down into four areas: Availability - What level of network availability does your business require? Capacity - How do capacity constraints impact your business? Latency - How will your applications be impacted by the increased latency and loss incurred on the Internet? Security - What do you need to secure the Internet access points at each of your offices? Each of these four areas consists of dozens of sub-questions; we boiled them down to just 13. With security, for example, do you want to offload Internet traffic at the branch or backhaul traffic to the datacenter? If you’d like to eliminate the “trombone effect” and take advantage of the improved cloud and Internet performance that’s possible with SD-WANs, you’ll want Internet offload. But with Internet offload you’ll have another consideration -- remote office network security. MPLS services arose at a time when threats existed “out there” on the Internet and Internet traffic was the exception not the norm. So we created a secured Internet access point for the company, backhauled Internet-bound traffic from offices across the WAN to that Internet hub, and minimized the need for branch security. Such an approach might have worked when threats were outside of company and Internet traffic was the exception. But Internet traffic is the norm and today’s threats are as likely to emanate from our offices as they are from the Internet. As such, many security professionals are looking to apply advanced security services, such as malware protection, and next generation firewall (NGFW), to the WAN as well as Internet connections. WAN architectures give you a range of choices for addressing these security considerations. MPLS services effectively segment traffic at layer 2, but provide no additional network security. SD-WANs segment traffic at layer 3 and encrypt traffic,you’ll need a third-party vendor for advanced security service. Cloud-based SD-WANs go a step further and integrate the advanced security into the SD-WAN.   Many different options and many different kinds of architectures to consider. We hope the “The Ultimate Checklist” helps.

Security + Network As a Service: the Better SD-WAN

We’ve been discussing the impact the dissolving perimeter has had on networking and IT. Changes in our applications (cloud migration) and where users work (mobility)... Read ›
Security + Network As a Service: the Better SD-WAN We’ve been discussing the impact the dissolving perimeter has had on networking and IT. Changes in our applications (cloud migration) and where users work (mobility) are driving the shift to software defined wide area networks (SD-WANs), but they’re also forcing us to rethink how we securely connect our users, application and data and deliver a compelling quality of experience. Unless the complete picture is assessed one is liable to simply shift costs between IT domains. Rather than IT playing this kind of shell game on itself, IT should evaluate WAN architectures holistically and look at the quality of experience, availability, security, cost, agility, manageability, and extensibility of the network. SD-WANs Aren’t Enough Leveraging Direct Internet Access (DIA) allows SD-WANs to improve agility and reduce bandwidth costs, but fails to address, and sometimes exacerbates, other critical challenges.  As we discussed in our previous post, whereas with MPLS, networking teams had to wait weeks for new connections and days for bandwidth upgrades, SD-WAN’s use of DIA means new offices can be deployed in hours and days, and be reconfigured instantly.  DIA also means IT can reduce their monthly bandwidth spend by as much as 90 percent. The Internet Limits Peak Performance Applications remain constrained by Internet performance. The brownouts and unpredictability of Internet connections will continue to disrupt applications. SD-WANs try to minimize this fact by connecting to multiple services; should one path slow-down, SD-WAN nodes will steer application traffic to alternate paths based on a combination of business priorities, application requirements, and network performance. Yet, where all paths suffer, due to pervasive internet routing conditions, SD-WANs remain unable to help the application experience. DIA Expands The Attack Surface What’s more, the use of DIA that gives SD-WANs so much of their agility and costs benefits also increases the attack surface. Every office with DIA now requires the full range of security services including next generation firewalls, anti-malware, URL filtering, IDS/IPS, sandboxing and more. This in turn increases operational costs, with the management, patches, upgrades and capacity planning needed to keep pace with increasing traffic load and a growing threat landscape. No wonder that nearly half of the respondents (49 percent) of our recent user survey indicated that their organizations pay a premium to buy and manage security appliances and software. Missing Mobility and Cloud Finally, while SD-WAN vendors do a very good job connecting offices, they’re less successful extending their overlays to the rest of today’s WAN: mobile users and the cloud. Mobile users are not supported at all by SD-WANs. Some SD-WAN vendors claim to deliver cloud instances for private cloud implementations, such as AWS. But these implementations come with inordinate complexity -- whether from the nuances of how cloud providers implement cloud networking, cloud machine limitations that can only be resolved with greater cloud investments, bandwidth limitation, and more. And in all cases, companies remain subject to the variabilities of the internet connecting to the cloud provider. One WAN For All Rather than trying to retrofit old solutions to today’s new realities, first think as to where we’re headed. Perhaps if we had that vision then we could work backwards and figure out how best to get there. Everyone can agree that complexity is the enemy of network engineering. With more components comes more equipment to purchase, maintain, and the increased likelihood that something will break. So as a basis we’d like to somehow create one network with one set of policies for all locations, all users (mobile and fixed), and all destinations (virtual or physical).  The network should have the agility and cost savings of SD-WAN and DIA with the performance and predictability of MPLS. Of course, we’d like to retain control over this network. Policies should align network usage with application requirements and business priorities. Applications more critical to the business should take priority over those less critical; VoIP and real-time applications should take precedence over backup. And we’d like our networks to be inherently secure. Once users connect into this network, they’d immediately inherit all of the necessary security services to protect themselves when working from the office, home or on the road. Hardware, Software, or Cloud So, that’s where we’d like to go, but what’s the best way to get there? The traffic manipulation and policy enforcement needed to make this vision a reality can occur in physical appliances, virtual appliance or software, or the cloud. Deploying an integrated security-networking appliance at each branch introduces scaling challenges, management complexity and overhead implicit in physical appliances. What’s more no physical appliance can address the needs of mobile users or the cloud. Software appliances, such as network functions virtualization (NFV) instances, sounds like the right approach. They introduce a degree of flexibility at the edge and are certainly of help to a service provider looking to modernize their box-based ecosystem. But like hardware appliances, software appliances must still be maintained and upgraded. As traffic volumes increase, scaling is still a problem. Leveraging new capabilities also means upgrading to new software with all the risks of downtime implicit in those changes. And, a full range of high availability and failover scenarios must be defined. Client-based software is no better. The differences between processing capacity, memory, and sheer range of platforms of devices makes deploying security and networking processing on a mobile challenging. Driving mobile users towards secure “chokepoints” compromises on quality of experience and productivity, leading to compliance violations. Cloud capabilities, if managed and deployed correctly, represents a great choice. By moving security and networking functions into the cloud, we can provide robust security that can scale as necessary, anywhere, without the adverse impact of location-bound appliances. All new features, enhancements and counter-measures can be made available to every resource (branch, datacenter, cloud instance or a user) connecting to the cloud-based solution. This is what Networking + Security as a Service (N+SaaS) is all about. Network+Security as a Service N+SaaS moves all security, traffic steering and policy enforcement into a multi-tenant cloud service built on a global, privately-managed network backbone. There is no need for network security at the remote site or within mobile user’s device as all Internet traffic is sent to and received from the N+SaaS service. Users access the N+SaaS backbone by tunneling across any Internet service to the nearest Point of Presence (PoP). IPSec-enabled firewalls and routers can be configured for these purposes as can simple virtual or physical edge nodes. As traffic enters the N+SaaS private cloud network edge, the N+SaaS provider can steer customer traffic based on application-specific policies. Traffic is inspected and protected with a full network security stack built into the cloud network fabric. IT is freed from unplanned hardware upgrades, resource-intensive software patches, and the rest of the overhead of managing security appliances, leaving that to the cloud provider. New locations and mobile users can be quickly deployed and are seamlessly protected. SD-WAN And Cloud Security This approach is fundamentally different from the partnerships between SD-WANs and cloud security services. In that case, SD-WANs use service chaining to divert traffic to the cloud service for inspection. At a tactical level, many such cloud security services only inspect HTTP traffic, requiring additional equipment and services to protect against attacks involving other protocols. More strategically, though, such an approach perpetuates the divide between networking and security tools, complicating deep integration between the two areas. Policy definition, where policy governs security permissions, actions, and network configuration, is a basic example of how networking and security integration can reduce overhead.  More sophisticated would be the correlation of networking and security information to reduce security alert volume, identify alerts that truly matter, and to take automatic action once identifying a threat, such as automatically terminating a session in case of an exfiltration attempt. These efforts become major “road map efforts” and “innovations” for SD-WAN vendors partnering with cloud security services precisely because of the challenges in exchanging and correlating information siloed behind security and networking walls. With N+SaaS, such capabilities are table stakes as all of the necessary information is already available to the N+SaaS provider. Private Backbone Is Essential N+SaaS services are also built on privately-run backbones, which is very different from SD-WAN cloud managed offerings. The consistent, day-to-day performance of the N+SaaS backbone exceeds that of the Internet. Gone is the unpredictable latency, jitter and disruption of service that occurs on unmanaged backbones. The secure network’s performance and predictability rivals that of MPLS. By adopting DIA, companies lose none of the agility enabled by SD-WANs. Local loop resiliency is still possible with same options used for SD-WANs. Fully redundant, dual-homed connections, such as connecting an office to xDSL and 4G Internet services, with unmanaged Internet, let alone private cloud networks, can be shown to approach or match MPLS uptime (see this blog for the math behind those availability calculations). N+SaaS : It’s More Than Just Hosting in The Cloud By converging security and networking into the cloud, we eliminate the silent enemy of uptime, efficiency, security, and IT operations in general – complexity. An IT infrastructure with fewer “moving parts” is one that’s easier to deploy, manage, and maintain. As with any cloud service, CIOs and their teams will want to be sure N+SaaS providers can meet their service commitment. At a minimum, this means service level agreements (SLAs) around availability, latency, and packet delivery. Extensibility Is Essential But they will also want to look at the extensibility of the platform. As the provider delivers new services, how readily available are they to mobile and fixed users in new regions? Are they limited in some way, only applying to physical data centers and not the cloud, for example? These questions are particularly critical as service providers look to mirror the capabilities delivered by N+SaaS by selling cloud services off security and networking appliances built for enterprise or regional deployment. It’s more than an issue of supporting multi-tenancy. Simply shifting security appliances into the cloud burdens the service providers by the same management and maintenance costs as the enterprise, costs that must be pushed onto their customers. Delivering services “everywhere” also becomes more difficult as customer resources are bound to specific instances within a region, putting complex management of distributed appliances right back on the table. The Way Forward The state of business today is expanding globally, relying on data and applications in the cloud and driven by a mobile workforce. IT needs to adapt to this new reality, and simplifying the infrastructure is a big step in the right direction. One network with one security framework for all users and all applications will make IT leaner, more agile. Converging networking and security is essential to this vision. And while SD-WANs are a valuable evolution of today’s WAN, N+SaaS goes a step further -- bringing a new vision for networking and security to today’s business. Read about network service chaining

How SD-WANs Can Become Next Generation WAN Architectures

While SD-WANs are a valuable first step towards evolving the wide area network, they only address a small part of the dissolved enterprise perimeter challenge.... Read ›
How SD-WANs Can Become Next Generation WAN Architectures While SD-WANs are a valuable first step towards evolving the wide area network, they only address a small part of the dissolved enterprise perimeter challenge.  With the rise of mobility, cloud datacenters, and Software as a Service (SaaS) the classical demarcation between public and private networks becomes less relevant, driving changes in four IT disciplines - security, cloud, mobility, as well as networking. By addressing the full implications of the dissolved perimeter, CIOs and IT managers can reduce the operational costs and improve the effectiveness across IT. Impact of the Dissolved Perimeter The traffic patterns driving SD-WAN adoption change how companies protect their users and data. As mobile users connect directly to the internet through unsecured Wi-Fi hotspots and offices access cloud resources via direct internet access, the attack surface grows. This, at a time when security teams already struggle to keep ahead of threat actors and new attack vectors. Incremental approaches to addressing the dissolved perimeter perpetuate the limitations inherent in existing IT structures. Capabilities remain duplicated between products, increasing capital costs. Networking, security, and mobility technologies are deployed and operated independently. As such, critical information becomes “siloed” behind disparate tools.  It’s not that IT lacks the right information to solve its problems; it’s that the right information isn’t readily available to the right team at the right time. With information locked behind application silos, operational improvements, such as automation, becomes increasingly complex. Changing the WAN is an opportunity to fix the bigger problem of the dissolved perimeter. By creating an integrated cross-domain approach to security, networking, cloud and mobility, IT can become leaner, more effective, unburdening teams from much of their mundane chores and accelerate the delivery of new business capabilities. Rather than multiple policies governing each technology, organizations can create a single policy integrating the four IT disciplines. Instead of locking information within proprietary networking and security tools and complicating attack detection and response, an integrated approach allow teams quickly deploy countermeasures against current and emerging threats. Integrated Security-Network Evaluation CIOs and IT leaders should pull together an interdisciplinary team to take a strategic approach to the new WAN and the dissolved perimeter.  The team should include line-of-business members, application team leads, as well as networking, security and mobility representatives.  The goal:  to understand the full impact a proposed networking architecture will have on all IT disciplines. Areas to be evaluated include quality of experience, availability, security, cost, agility, manageability, and extensibility. Quality of Experience Legacy WAN architectures tried to solve a security challenge through networking design. Rather than connecting every location to the Internet and then having to secure those locations, legacy WANs backhauled Internet traffic across the MPLS network to a centralized, secured Internet portal. When the portals sit near or within the path to the Internet destinations, the performance impact of such an architecture is usually nominal. However, when a portal is out-of-path or far away from the destination, latency increases in what’s called the “trombone effect”, often degrading the quality of experience. The quality of experience for a user in Tokyo, for example, can suffer significantly if the user must first send Internet traffic to the Internet portal in San Francisco to reach a destination back in Tokyo. But even without the trombone effect, Internet routing performance is unpredictable and unoptimized. For one, the Internet is a collection of networks, each managed per the business requirements of the provider. As such, ISPs will dump traffic on peers even if a faster route is available across their own networks.  What’s more, without a provider managing end-to-end performance, latency and packet loss rates fluctuate significantly particularly when sessions cross between provider backbones. In addition, Internet routing does not consider the nuances of individual applications. The path-selection process for loss-sensitive applications, such as VoIP and video, for example, is no different from those that are bandwidth intensive. Without being able to differentiate between applications, internet routing leads to suboptimal application experience. By knowing the location of applications (datacenter or cloud) and of prospective mobile and fixed users, CIOs and their teams can anticipate these performance hurdles and challenges. Those challenges can be addressed by leveraging a range of technologies including SLA-backed networks, WAN optimization tactics and more. Availability SD-WANs give organizations several choices in this area – using existing MPLS services, adding broadband or 4G Internet connections, or using a mix. Each service comes with its own cost structure and capabilities.  To align availability requirements and needed investments, CIOs, CISOs, and their teams need to understand the importance of the applications and business locations to the company, and align networking and security availability options accordingly. Security teams will want to identify if redundancy is needed in branch security design and explain what happens when a failure occurs at a branch security appliance. Will security still be implemented? From a mobility perspective, teams need to assess the importance of assuring regional or global VPN access to WAN resources. Security SD-WANs achieve significant gains in agility and cost reduction in large part due to their ability to leverage direct Internet access (DIA) at branch offices. But DIA also significantly expands the attack surface far beyond that which can be protected by the basic firewall provided in SD-WAN appliances. In addition to the encryption used to secure SD-WAN tunnels, branches also require URL filtering, anti-malware, IDS/IPS, sandboxing and more. Costs While cost reduction drives SD-WAN interest, it may be far less significant than realized when evaluating the fuller picture of the WAN architecture. Research shows that DIA bandwidth costs can be as much as 90 percent less than MPLS bandwidth costs. But to improve uptime DIA will also require dual-homed links. Fiber runs are preferable for DIA just as they were with MPLS, further reducing savings. Dual-homing means multiple suppliers at each branch, increasing supplier management costs. Increasing the attack surface through DIA will also require additional security measures to be implemented at the branch. Security teams will need to be consulted to better understand the associated capital and operational costs required to secure those new Internet access points.  Converging multiple IT disciplines can lead to further reduction in operational and capital expenses. Agility One of the rallying cries for SD-WANs is the promise that organizations will be able to adapt to business requirements far faster than with a private data service, such as MPLS, see “A Guide to WAN Architecture & Design”. By separating the underlay (the data services) from the application, SD-WANs allow networking teams to respond quickly to changing business requirements. New offices can be brought up instantly with 4G connections and switched over to business Internet services as necessary. Zero Touch Provisioning (ZTP) makes deploying new equipment trivial.  Giving applications more bandwidth or adding more users at site becomes much easier. But agility is more than just a networking issue. It’s also a security requirement. Organizations will want to be sure security teams can meet those same agility objectives. Can they secure DIA in equally short time? New users and applications require changes to traffic and security policies. How quickly and easily can those be instantiated and delivered to the branch? What about ongoing management of security appliances and services, will those impede the business in anyway? These and other questions need to be considered carefully before opening the branch office to the Internet. Management WAN architectures impact management and operations differently. With MPLS services, organizations had one “throat to choke”, should there be an outage, and one bill for all of WAN services. With SD-WANs requiring multiple suppliers, supplier management becomes a bigger operational challenge. The same is true with consolidated billing and the other “extra” benefits of using a single supplier. Operations will also want to look at the challenge of running the SD-WANs from a networking and security perspective. Are additional skills going to be required to handle the policy-based routing, tunnel management and rest of actions needed to build out and maintain an overlay? How complex is it to introduce a new application company-wide, for a department, or a site? Attention should also be given to the integration of network and security. Ideally, a single policy should encompass both domains. Extensibility Conventional WANs connect offices, but with more users working out of the office and most traffic destined for the Internet, organizations need to evaluate the extensibility of any WAN architecture. Can mobile users connect to the overlay and easily access enterprise applications? How is optimum path selection made when there’s no integration of cloud datacenters? Policy configuration and distribution, performance, and security -- all need to extend to the mobile user and the cloud as well as to the office. A New Kind of WAN By taking a more holistic view of the challenges stemming from the dissolved perimeter, organizations are in a better position to evaluate SD-WAN architectures. Which architectures are best positioned to address the new challenges facing IT? We’ll answer that question in our next blog.

The Promise and Peril of SD-WANs

Software-Defined Wide Area Networks (SD-WANs) promised to address the high costs, rigidity and limitations of private MPLS services. Like so many technologies, though, there are... Read ›
The Promise and Peril of SD-WANs Software-Defined Wide Area Networks (SD-WANs) promised to address the high costs, rigidity and limitations of private MPLS services. Like so many technologies, though, there are the promises of SD-WANs and then there are the realities of SD-WANs. SD-WANs reduce bandwidth costs, no doubt, but enterprises are still left having to address important issues around cloud, mobility, and security. The Problem of MPLS Bandwidth costs remain the most obvious problem facing MPLS services. Anyone who’s purchased MPLS bandwidth for their business and Internet DSL for their home has endured the surreal experience of paying 3 times or even 10 times more per megabit for MPLS bandwidth. High per megabit pricing is out-of-step with today’s tendency towards video-oriented, bandwidth-intensive Internet-and cloud-bound data flows. Spending precious MPLS bandwidth to backhaul this traffic to a centralized Internet hub makes no economic sense, particularly when direct Internet access could be available from the office or within region. Less pronounced, but perhaps equally important, is the rigidity of MPLS services. Provisioning new MPLS locations can require three to six months, depending on the service provider. Bandwidth upgrades and changes can also take weeks. Contrast that with Internet connections, where activation requires just days, even minutes, in the case of 4G. Yes, there are good reasons for MPLS’ higher costs. As managed services, MPLS services are backed with service level agreements (SLAs) governing downtime, latency, packet loss, time to repair, and more. MPLS uptime is typically high, on the order of 99.99% per year depending on the service. Additionally, MPLS loss and latency statistics are more consistent and generally lower than those of the Internet. Internet performance has improved significantly over the years, no doubt. As this post notes, overall Internet packet loss rates steadily improved since 1999, reducing by as much as 88 percent. The problem, though, is the consistency of path performance, particularly as connections cross between Internet providers. In our recent survey of more than 700 networking, security, and IT executives and professionals from around the globe, 43% of respondents indicated that latency (along with cost of buying and managing appliances) was their number one WAN challenge. While MPLS providers minimize latency by running their own routing end-to-end (or by negotiating premium connections with other MPLS providers), Internet routing optimizes for economics. Internet providers dump packets on peering networks depending on the economic realities, adversely impacting application performance. However, the additional value of MPLS doesn’t improve the IT balance sheet. With CIOs seeking budgets to drive new initiatives, finding ways to reduce WAN costs to free up budget is driving many enterprises to consider SD-WANs. The Promise of SD-WANs SD-WAN providers have argued that organizations can reduce costs and increase their agility by augmenting and, at times, replacing MPLS with Internet services. To achieve those aims, SD-WAN nodes form an encrypted overlay across the underlying data services, such as xDSL and 4G Internet services, or private services, such as MPLS circuits. As traffic enters the SD-WAN, application-aware routing algorithms evaluate the end-to-end path performance across the available underlying services, selecting the optimum path based on application-constraints, business priority and other metrics. Email replication, or file transfers and other bandwidth-intensive, latency-tolerant applications may be sent across an Internet path, while VoIP sessions, which are sensitive to jitter and packet loss, would be sent across MPLS (or an Internet path with low jitter and packet loss). It is possible to achieve to similar capabilities across MPLS by combining Dynamic Multipoint VPN (DMVPN), Cisco Performance Routing (PfR), and real-time quality measurements. However, those measures add complexity to the configuration. Tools, such as PfR, can be tricky to deploy and maintain. Adding new applications to the WAN, for example, may force updates to router configs. SD-WANs automate these and other steps. Enterprises have long improved site availability by pairing MPLS with backup Internet connections. Active-active configurations are possible with routing, but can lead to imbalanced connections. Path failover is also too long to sustain a session. Policies are also needed to prioritize traffic flows in the event of an outage. Practically, most enterprises leave their secondary connections dormant. SD-WANs make using dormant Internet connections trivial. Minor policy configurations allow SD-WANs to balance traffic across connections. In the event of a brownout or blackout, additional policy details determine access to the primary link. Improved uptime by dual-homing locations is simplified further with SD-WAN by using xDSL and 4G from different providers. Again, it’s not that this was impossible beforehand without SD-WANs; it’s just made more accessible. The Prospect for the New WAN Moving away from the physical WAN to a virtual overlay is a first step towards addressing the needs of the modern enterprise. SD-WANs, however, don’t go far enough, leaving the enterprise dependent on MPLS and fail to address today’s cloud, security and mobility challenges. While the Internet performance has improved, latency and packet loss rates can and do fluctuate significantly moment-to-moment and day-to-day. This is particularly true when connections reach between continents or dense Internet regions. Unpredictable performance poses a significant challenge to delivering mission critical services and real-time applications. As such, many enterprises invest in purchasing and engineering their SD-WANs, but can never abandon MPLS, forced to maintain those services to handle their “sensitive” traffic. If continued dependence on MPLS was the only challenge for SD-WANs that’s one thing. After all, Internet connectivity is continuing to improve and, perhaps, in another life time it will provide the consistent performance on long-distance and inter-backbone connections we find on MPLS.  But the greater challenge with SD-WANs is that they fail to adapt to fundamental changes to the enterprise.. When we first built our MPLS-based backbones, the WAN was synonymous with site-to-site connectivity. We connected offices and headquarters, factories and data centers. Applications resided in datacenters and sites we controlled. Our perimeter and our responsibilities were demarcated by the company’s final hop beyond which was nothingness of pre-Internet days or the big bad world of the Internet. Remote and teleworkers were the exception. They’re connectivity challenges were often addressed by a different IT group and certainly a different product set than the one we used to build our WANs. Nearly half of all organizations still force their mobile users to connect to an appliance in a specific location in order to gain access to public cloud applications. Today, the network perimeter is all but gone, thanks to mobility and the cloud. Yet, IT must still provide mobile users with access to cloud applications and services without compromising on performance, security, manageability and control. Mobile users are still concerned (whether they know it or not) with selecting the optimum path for their traffic. They still need to have their traffic secured end-to-end. Operations teams still want to know mobile users traffic patterns and more. Forcing separate remote access equipment with its own set of policies and controls makes little fiscal or operational sense when those policies and controls are already needed for the SD-WAN. Most SD-WANs do not address mobile workers or, for that matter, the cloud. There is no “SD-WAN mobile client” or mechanism for the mobile worker to connect into the SD-WAN. As for the cloud, most cannot situate their SD-WAN nodes in or near the datacenter running the company’s cloud instance(s) or housing the user’s data.  Consequently, enterprises lose out on SD-WAN benefits in both cases: user traffic may be unencrypted, path selection is impossible, and any management insight and control is gone. Cloud and Internet access also increase the costs of SD-WANs. Breaking traffic out at the branch or regional Internet portals makes fiscal sense, but increases a company’s attack surface. SD-WANs lack the tools to address those risks.  Their security is limited to encrypting traffic in transit and, in some cases, hardening their devices against attack. Firewalling, URL filtering, anti-malware –threat protection tools needed to protect the enterprise are not part of the SD-WAN, which is why some SD-WAN vendors partner with security vendors.  Enterprises are left purchasing, deploying, and maintain security equipment and software, costs often ignored when SD-WAN providers tout SD-WAN’s savings.   Bottom Line SD-WANs are a valuable first step in developing a more easily deployed and managed WAN. But enterprises adopting SD-WANs must be prepared to address unmet performance and security challenges for offices, the cloud, and mobile users. What will that new SD-WAN look like? We’ll dive into find out in our next blog post.

Remote Code Execution, Phishing, and More: Cato Research Labs Reviews January Security Events

January started out with a bang as Check Point showed that pictures can be worth for more to hackers than just a 1,000 words. Embedding... Read ›
Remote Code Execution, Phishing, and More: Cato Research Labs Reviews January Security Events January started out with a bang as Check Point showed that pictures can be worth for more to hackers than just a 1,000 words. Embedding threats in images, though, wasn’t the only security story of significance last month. A number of other stories (and not of the political kind) also occupied the topics of conversation among researchers here at the Cato Research Labs. January 4th ImageGate: Check Point uncovers a new method for distributing malware through images Check Point researchers identified a new attack vector, named ImageGate, which embeds malware in image and graphic files. Furthermore, the researchers have discovered the hackers’ method of executing the malicious code within these images (source: Check Point blog). The attack is very smooth. The attackers  managed to trick both Facebook and LinkedIn filetype filters, delivering embedded malicious code that executes on the operating system. The  attack is related to the massive malware campaign of Locky ransomware spread via social network channels that we discussed here. Facebook ended up aggressively blocking any Scalable Vector Graphics (SVG) files. Nice work by Check Point researchers for managing to upload a file with embedded malicious code and then change the filename to .hta Buggy Domain Validation Forces GoDaddy To Revoke SSL Certificates msm1267 quotes a report from Threatpost: GoDaddy has revoked, and begun the process of re-issuing, new SSL certificates for more than 6,000 customers after a bug was discovered in the registrar's domain validation process (source: Slashdot). On one hand, GoDaddy’s revoking that large number of web site certificates may seem like a very aggressive action. But GoDaddy engineers are probably aware that browsers do not validate certificates with CRLs by default as it may impact the browsing experience. So they decided to be on the safe side, in this case. Also, it’s surprising that GoDaddy was unable to trace back their logs and verify which websites were actually attacked. January 13th Crime Doesn’t Pay. Shadow Brokers Close Up Shop After Failing to Sell Stolen NSA Hacking tools Call it a victory for the good guys. The Shadow Brokers who previously stole and leaked a portion of NSA’s hacking tool-set closed up shop this month,  a few days after trying to sell another package of hacking tools, “Equation Group Windows Warez.” The new tools included Windows exploits and antivirus bypass tools, stolen from the NSA-linked hacking unit, The Equation Group (source: The Hacker News). In a farewell message posted Thursday morning, group members said they were deleting their accounts and making an exit after their offers to release their entire cache of NSA hacking tools in exchange for a whopping 10,000 bitcoins (currently valued at more than $8.2 million) were rebuffed (source: Ars Technica)  The mysterious group that was with us since September has “retired.” Many of the tools they published affected firewall vendors and shows vulnerability of appliances. The Shadow Brokers may no longer be with us but from a technical perspective, but they leave a huge impact (as well as many questions about proper upgrades and patching) on the appliance industry.   January 20th Everyone Is Falling For This Frighteningly Effective Gmail Scam Security researchers have identified a "highly effective" phishing scam that's been fooling Google Gmail customers into divulging their login credentials. The scheme, which has been gaining popularity in the past few months and has reportedly been hitting other email services, involves a clever trick that can be difficult to detect (source: Fortune) There's still a buzz around the phishing scam that steals credentials from Gmail users. This one seems very effective, but frankly isn’t all that new. It’s been floating around at least since last June. Any enterprise with a properly-configured URL-filter or IPS (or subscribes to a service with one of those tools) can block the exfiltration site used in the attack. January 25th Widely used WebEx plugin for Chrome will execute attack code—patch now! Publicly known “magic string” lets any site run malicious code, no questions asked (source: Ars Technica).  Very impressive. Google researchers found a vulnerability in the Cisco Webex Chrome extension used by about 20 million users. The vulnerability lets any website execute arbitrary code on a client with the extension. Cisco has already released a patch, but companies will want to encourage users to reboot Chrome to upgrade their extensions. Meanwhile, they should consider applying a virtual patch. January 29th Gmail will stop allowing JavaScript (.js) file attachments starting February 13, 2017 Google announced Gmail will soon stop allowing users to attach JavaScript (.js) files to emails for obvious security reason. JavaScripts files, could represent an insidious threat for the recipient, for this reason starting with February 13, 2017, .js files will no more be allowed (source: Security Affairs).  Looks like Google is picking up on the phishing scam. JavaScript (JS) attachments were the mechanism by which the attackers presented the phishing screen used in the scam.  JS malware has been gaining popularity for the past several months in part because malicious JS files are saved on disk and can run outside the browser on the Windows operating system. Blocking these attachments will definitely reduce the attack surface, but won’t address the full problem. Attackers may still utilize other types of files (e.g. zipped, docs, pdf) to deliver attacks. Although these files are sandboxed, attackers can still rely on social engineering techniques to break out and run on the PC.

Ticketbleed Undermines SSL Security

The recent report that F5’s Big-IP leaks memory once again underscores the risks of relying heavily on security appliances. The exploit, called “Ticketbleed” could enable... Read ›
Ticketbleed Undermines SSL Security The recent report that F5’s Big-IP leaks memory once again underscores the risks of relying heavily on security appliances. The exploit, called “Ticketbleed” could enable attackers to intercept SSL traffic.  The name comes from the Heartbleed exploit that caused headaches in 2014, reports the Register. According to the description in the National Vulnerability Database with Ticketbleed: “A BIG-IP virtual server configured with a Client SSL profile that has the non-default Session Tickets option enabled may leak up to 31 bytes of uninitialized memory. A remote attacker may exploit this vulnerability to obtain Secure Sockets Layer (SSL) session IDs from other sessions. It is possible that other data from uninitialized memory may be returned as well." The exploit was first discovered by Cloudflare Cryptography Engineer Filippo Valsorda, and found to affect 10 Big-IP appliances. You can see a complete list of impacted appliances here. The exploit is being considered “high” in severity and F5 customers are encouraged to upgrade their software. You can also mitigate the vulnerability by disabling session tickets on the affected Client SSL profile. Valsorda has also created a site for testing hosts for their vulnerability to Ticketbleed. According to the site, 3 of the top 1,000 Alexa sites were vulnerable to the exploit. While all software products could have bugs and vulnerabilities, we at Cato think that the appliance form factor makes it particularly difficult for enterprises. Customers struggle to fully patch all systems in a timely manner, especially in a distributed environment. Rather than chasing after the latest vulnerability in every appliance, enterprises can simplify security operations with cloud-based security providers. Cloud-based security shifts the burden of responding to every exploit to the provider who has a financial interest in keeping security infrastructure current. Cloud security services are inherently faster and easier to patch than enterprise appliances, which improves overall security posture. And any security updates to the service made on behalf of one customer immediately help all customers. The benefit of cloud-based security is particularly acute for small to medium enterprises (SMEs). These organizations typically cannot afford full-time security researchers, advanced threat prevention, or the threat intelligence subscriptions needed to ensure timely detection and response to new exploits.  Those costs are assumed by the security provider. To learn more about the benefits of moving from appliances to security services download our Drop the Box! eBook.

451 Research Reviews the Cato Cloud

Medium-sized enterprises face a broad range of challenges in networking and security. Cato addresses those challenges by integrating the two domains in what a recent... Read ›
451 Research Reviews the Cato Cloud Medium-sized enterprises face a broad range of challenges in networking and security. Cato addresses those challenges by integrating the two domains in what a recent 451 Research recently described as representing “one of the significant conceptual takedowns of security-as-overlay.”  You can read the report in its entirety here. Noting that Cato is “disruptive” and offering a “new breed of network as a service,” the 451 Research report points out that Cato addresses a list of networking and security pain points felt by medium-sized distributed enterprises. In terms of networking, the WAN is incompatible with the modern enterprise on several levels: MPLS is a major cost item with huge lead times necessary for new deployments. Backhauling of Internet traffic is quickly outstripping existing MPLS links, driving the introduction of technologies like SD-WAN. Yet, backhauling Internet traffic still makes little sense and causes a trombone effect - added latency which impacts the user experience. Direct internet access (DIA) at the branch, which is the natural thing to do, is costly and complex because a full security stack must be deployed in each location. The WAN doesn't naturally extend beyond physical locations to accommodate the new tenants of the enterprise, the cloud and mobile users. At the same time, security appliances are incompatible with the modern enterprise for several reasons including: Appliances need to be bought, deployed, maintained, upgraded and retired. Appliances cover only the local network segment. Many pieces are needed to cover the full network. Appliances need the support, care and feeding of an experienced staff. Appliance software updates are lagging because they are high risk and complex. This drops appliance effectiveness over time. The 451 Research notes that Cato addresses these areas and while there are other players in networking and security markets none can match Cato’s value proposition. As 451 puts it “…. We view Cato as differentiated by its purpose-built, converged secure cloud-networking stack and multi-tenant architecture, which does not tie customers to PoPs, is not composed of custom appliances for customers (other than access sockets) and is unlikely to incur traditional scaling and activity costs attributable to customer expansion….” To read the full report click here

How MSSPs Can Drop The Box

MSSPs (Managed Security Service Providers) know all too well the challenges enterprises face when managing their security appliances. After all it’s those challenges that give MSSPs... Read ›
How MSSPs Can Drop The Box MSSPs (Managed Security Service Providers) know all too well the challenges enterprises face when managing their security appliances. After all it’s those challenges that give MSSPs their business. What’s less clear, is how MSSPs can deliver security services and meet those challenges in a way that builds a profitable business. Cloud security service provide an answer. Organizations are often challenged when managing their on-premises and distributed network security stack. They need to plan for capacity increases at each location, maintain hardware, and patch software. As the business grows and new security requirements emerge, forced upgrades of appliances becomes a way of life. MSSPs face the same challenges on a grander scale. Simply selling services off of the same security appliances doesn’t solve the issue. As an MSSP, you’re still faced with the effort and time to onboard new customers. Reducing your costs per site is critical, if you’re going to scale the business. As such, automating as much as possible to eliminate the grunt work of running appliance-based networks is important. Similarly, you need to create the streamlined processes to efficiently manage customer networks. And there still remains the challenge of delivering unique and differentiated security capabilities. By packaging cloud security services to their customers, MSSPs gain the differentiation and value they seek without the overhead and costs of appliance-based architectures. Firewall as a Service (FWaaS) was recently recognized by Gartner as a high impact emerging technology in infrastructure protection.  With FWaaS, the network security stack is moved to the cloud, eliminating the high-touch headaches triggered by distributed network security appliances. FWaaS scales to meet traffic requirements without time and pain of upgrading individual appliances at each user site. To determine if FWaaS matches your business and customers, consider nine areas - planning, provisioning and onboarding, policy management, software patches, hardware refresh, capacity constraints, product enhancements, troubleshooting, and end of life.   With the right FWaaS, you should be able to eliminate mounds of security and networking appliances from your customer’s premises. Gone are the capital costs of security services and significantly reduced are your operational costs. Your cost per site should drop for a fast return on investment (ROI) and you should be able to reach new customers with a FWaaS that’s available everywhere. To learn more about FWaaS and see how they compare with firewalls or Unified Threat Management (UTM) appliances read our insightful MSSP edition eBook, Switching Firewall Vendors? Drop the Box!

SD-WAN and Beyond: What to Consider in a WAN Transformation?

Companies should not be shortsighted when upgrading their WANs. It’s not “just” about cutting the cost of  their existing MPLS-based WANs. It’s also about looking... Read ›
SD-WAN and Beyond: What to Consider in a WAN Transformation? Companies should not be shortsighted when upgrading their WANs. It’s not “just” about cutting the cost of  their existing MPLS-based WANs. It’s also about looking forward and addressing the bigger challenges facing business around the cloud, mobility and more. We’ll look at those challenges this week when long-time industry veteran and expert, Dr. Jim Metzler, joins us on our webinar “Critical Capabilities for a Successful WAN Transformation.” Dr. Metzler will share research from a recent study into the current drivers and inhibitors for WAN transformation and the deployment of SD-WAN. You can learn more about the webinar and register for it here. Today’s business has evolved significantly since the adoption of MPLS-based WANs. Per user bandwidth consumption has likely grown significantly since your organization adopted an MPLS-based WAN. Fixed locations connected by MPLS services have given way to mobile users. Cloud services are as popular among users, if not more popular, than the corporate applications in the MPLS-connected, datacenters. Security threats have skyrocketed and so have the number of security appliances. No longer is there a safe corporate network and dangerous Internet, the perimeter is dissolved leaving just the network. The WAN has not kept up with those changes. Internet bandwidth, for example, can be a tenth of MPLS circuit bandwidth. Provisioning MPLS circuits can take months while Internet connections can be provisioned in weeks. Mobile users and the cloud are ignored by MPLS. Jim will explore these and other issued in his research on the webinar. SD-WANs address some of those challenges. They reduce bandwidth costs by leveraging Internet connections. They deploy faster and improve agility by also using self-provisioning technologies. They maintain availability and uptime, even with internet, by using multiple connections.  Ofir Agasi, our director of product marketing, will walk through the benefits of SD-WANs along with the best practices and core requirements for a successful SD-WAN project At the same time, SD-WANs continue to struggle when solving the bigger challenges confronting your enterprise. Those challenges include support for mobile users and ever growing security costs. Ofir will provide you with a checklist of those challenges. He’ll also explain how you can maximize the business benefits of SD-WAN by converging networking, security, cloud and mobility. If SD-WANs are an interest and concern for you or you’d like to fix some of the bigger challenges facing your IT teams, join us for the webinar. It should be an insightful and informative one.