In this article, we will discuss some of the various policy objects that exist within the Cato Management Application and how they are used. You...
Cato SASE Cloud: Enjoy Simplified Configuration and Centralized, Global Policy Delivery In this article, we will discuss some of the various policy objects that exist within the Cato Management Application and how they are used. You may be familiar with the concept of localized versus centralized policies that exist within legacy SD-WAN architectures, but Cato’s cloud-native SASE architecture simplifies configuration and policy delivery across all capabilities from a true single management application.
Understanding Cato’s Management Application from Its Architecture
To understand policy design within the Cato Management application, it’s useful to discuss some of Cato’s architecture. Cato’s cloud was built from the ground up to provide converged networking and security globally. Because of this convergence, automated security engines and customized policies benefit from shared context and visibility allowing true single-pass processing and more accurate security verdicts.
Each piece of context can typically be used for policy matching across both networking and security capabilities within Cato’s SASE Cloud. This includes elements like IP address, subnet, username, group membership, hostname, remote user, site, and more. Additionally, policy rules can be further refined based on application context including application (custom applications too), application categories, service, port range, domain name, and more. All created rules apply based on the first match in the rule list from the top down.
[boxlink link="https://www.catonetworks.com/resources/cato-sse-360-finally-sse-with-total-visibility-and-control/?utm_source=blog&utm_medium=top_cta&utm_campaign=cato_sse_360"] Cato SSE 360: Finally, SSE with Total Visibility and Control | Whitepaper [/boxlink]
A Close Look at Cato’s Networking Policy
Cato’s SASE Cloud is comprised of over 75 (and growing) top-tier data center locations, each connected with multiple tier 1 ISP connections forming Cato’s global private backbone. Cato automatically chooses the best route for your traffic dynamically, resulting in a predictable and reliable connection to resources compared with public Internet. Included features like QoS, TCP Acceleration, and Packet Loss Mitigation allow customers to fine-tune performance to their needs.
1. Cato Network Rules are pre-defined to meet common use-cases. They can be easily customized or create your own rules based on context type.
By default, the Cato Management Application has several pre-defined network rules and bandwidth priority levels to meet the most common use cases, but customers can quickly customize these policies or create their own rules based on the context types mentioned above. Customers can control the use of TCP acceleration and Packet Loss Mitigation and assign a bandwidth priority level to the traffic. Additionally, traffic routing across Cato’s backbone is fully under the customer’s control, allowing egressing from any of our PoPs to get as close to the destination as possible. You can even egress traffic from an IP address that is dedicated to your organization, all without opening a support ticket.
2. Bandwidth Priorities: With Cato, it’s easy to assign a bandwidth priority level to the traffic.
Cato’s Security Policies Share a Similar, Top-Down Logic
Cato’s security policies follow the same top-down logic and benefit from the same shared context as the network policy.
3. Internet Firewall Rules enforce company-driven access policies to Internet websites and apps based on app name, category, port, protocol and service.
The Internet Firewall utilizes a block-list approach and is intended to enforce company-driven access policies to Internet websites and applications based on the application name, application category, port, protocol, and service. Unlike legacy security products, customers do not have to manage and attach multiple security profiles to their rules. All security engines (IPS, Anti-Malware, Next-Generation Anti-Malware) are enabled globally and scan all ports and protocols with exceptions created only when needed. This provides a consistent security posture for all users, locations, and devices without the pitfalls and misconfigurations of multiple security profiles.
4. Cato’s WAN Firewall provides granular control of traffic between all connected edges.
Cato’s WAN Firewall provides granular control of traffic between all connected edges (Site, Data Center, Cloud Data Center, and SDP User). Full mesh connectivity is possible, but the WAN Firewall has an allow-list approach to encourage a zero-trust access approach. The combination of source, destination, device, application, service, and other contexts is extremely flexible, allowing administrators to easily configure the necessary access between their users and locations. For example, typically only IT staff and management servers will need to connect to mobile SDP users directly, and this can be allowed in just a few clicks, or if you want to allow all SMB traffic between a site where your users are and a site with your file servers, that can also be done just as easily.
More About Cato’s Additional Security Capabilities
Cato has additional security capabilities beyond what we’ve covered, including DLP and CASB that have their own policy sets and as we continue to develop and deploy new capabilities you may see more added as well. But like what you’ve seen so far, you can expect simple, easy-to-build policies with powerful granular controls based on the shared context of both networking and security engines. Of course, all policy and service controls will be delivered from a true single-management point – the Cato Management Application.
Cato SSE 360 = SSE + Total Visibility and Control
For more information on Cato’s entire suite of converged, network security, please be sure to read our SSE 360 Whitepaper. Go beyond Gartner’s defined scope for an SSE service that offers full visibility and control of all WAN, internet, and cloud. Complete with configurable security policies that meet the needs of any enterprise IS team, see why Cato SSE 360 is different than traditional SSE vendors.
TLS or Transport Layer Security is the evolution of SSL, and the terms are often used interchangeably. TLS is designed to increase security by encrypting...
Don’t Turn a Blind Eye to TLS Traffic TLS or Transport Layer Security is the evolution of SSL, and the terms are often used interchangeably. TLS is designed to increase security by encrypting data end-to-end between two points, ideally preventing bad actors from having visibility into the traffic of your web session. However, threat actors have also come to see the value in utilizing TLS encryption for delivering malware and evading security controls.
This can be indirect via the leveraging common sanctioned SaaS applications (Office365, Box, Dropbox, GDrive, etc.) as delivery vectors or direct by using free certificates from Let’s Encrypt. Let’s Encrypt is a free and open certificate authority created and run for the benefit of the public. Despite being designed for good, threat actors wasted no time in leveraging the advantages of free encryption in their activities.
The point here is that most traffic, good and bad, is now TLS encrypted and can create challenges for IT and security teams.
TLS Inspection to the Rescue
TLS inspection is almost completely transparent to the end-user and sits between the user and their web applications. Like the malicious activity known as a man-in-the-middle attack, TLS inspection intercepts the traffic, enabling inspection by security engines. For this to work without disruption to the end-user, an appropriate certificate must be installed on the client device.
TLS inspection has been available for some time now but isn’t widely used due to a variety of reasons, primarily cost and complexity. Historically NGFW or other appliances have been the source of TLS inspection capabilities for organizations. With any appliance, there is a fixed amount of capability, and the more features you enable, the lower the throughput. TLS inspection is no different and often requires double (or more) hardware investment to accomplish at scale. Additionally, TLS inspection brings up privacy concerns about financial and health information that are not always easily addressed by legacy products.
[boxlink link="https://www.catonetworks.com/resources/tls-decryption-demo/?utm_source=blog&utm_medium=top_cta&utm_campaign=tls_demo"] Cato Demo | TLS Inspection in Minutes [/boxlink]
SASE Makes it Possible
SASE or Secure Access Service Edge removes most of the challenges around TLS decryption, allowing organizations to secure their users and locations more effectively. SASE offers TLS inspection capabilities as product functionality, with no need to size and deploy hardware. Simply create desired exceptions (or alternatively specify what traffic to inspect), deploy certificates to endpoints, and enable the feature. This easy alternative to NGFW TLS decryption makes it possible for organizations to gain visibility into the 95% of their traffic that is hiding in TLS. There are still some challenges, primarily certificate pinned websites and applications. Most SASE providers will manage a bypass list of these for you, but you can always improve your security posture by blocking un-inspectable traffic where it makes sense.
Gain Visibility Today
The question remains, if you are not inspecting TLS today, why aren’t you? You have most likely invested in security technologies such as IPS, CASB, SWG, Next-Generation Antimalware, DLP, etc., but without complete visibility, these tools cannot work effectively. Security engines are a bit like the x-ray machine at airport security, they reveal the contents of luggage (packets) to identify anything bad. Now imagine if you are in the security line and they are only inspecting 5 out of every 100 bags. How secure does this make you feel, would you still get on the plane?
SASE has removed many of the obstacles to adopting TLS inspection and provides complete visibility to all security engines to maximize their value. If you have not considered SASE yet, now may be the time. If you already have SASE and do not know where to start with TLS inspection, start small. You should be able to selectively enable the capability for risky categories of URLs and applications and then increase the scope as your comfort level grows.
See this quick video demo on how easy it is to enable TLS inspection with Cato Networks!
A Complex Landscape As time passes, technology and human innovation have advanced rapidly. This is not only in terms of available connectivity, bandwidth, and processing...
The Value of Security Simplicity A Complex Landscape
As time passes, technology and human innovation have advanced rapidly. This is not only in terms of available connectivity, bandwidth, and processing power but also in terms of the networking and security landscape as well. For every technological advancement in consumer and business productivity, IT systems, operations and security must also try and keep pace.
We must consider not only the speed and capacity at which these tools must operate, but also the emergence of entirely new technical domains. The industry has moved away from castle and moat designs and replaced them with cloud platforms for a variety of services, effectively moving from endpoint security to network security and finally to cloud security and cloud-delivered network security. But with each new need and technical area, a multitude of vendors and products emerge only adding to the complexity.
[caption id="attachment_24677" align="alignnone" width="3000"] Momentum CyberScape Source[/caption]
IT and security leaders must consider multiple security product categories such as network & infrastructure, web, endpoint, application, data, mobile, risk & compliance, operations & incident response, threat intelligence, IoT, IAM, email/messaging, risk management, and more. Adding to the challenge, for each category there are multiple vendors with different product sets, architectures and capabilities. It can be time consuming and challenging to prioritize security investments while selecting the ideal vendor for your business. While each product that you purchase and implement is intended to strengthen your security posture and reduce risk, these products may also be increasing the complexity of your environment.
[boxlink link="https://www.catonetworks.com/resources/ransomware-is-on-the-rise-catos-security-as-a-service-can-help?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware_ebook"] Ransomware is on the Rise – Cato’s Security as a Service can help | Get the eBook [/boxlink]
Complexity Erodes Security
Many have considered it a best practice to purchase products based on the perception in the market as “best of breed.” This approach seems logical but can be detrimental as getting these products to work together can be difficult or impossible. Even products from the same vendor can be lacking in integration, especially if the product was the result of an acquisition. Furthermore, even with out-of-the-box integrations, getting everything to work as desired can still be very time-consuming.
You may have already learned through experience that integration is not convergence. If you are still questioning the difference between the two, here are two examples. A converged solution will have a single management application for all functions of the platform. Separate consoles or a pseudo-unified console that requires downloading, installing, and managing plugins are not converged. For cloud-delivered offerings, a converged solution will offer all capabilities at all PoPs. A vendor that uses some PoPs for capabilities like DLP and remote access and other PoPs for things like NGFW and SWG is not converged. Non-converged solutions can drastically increase management touch, increasing administrative overhead and cost while eroding security value.
How does this happen? For every new product and management application, the opportunity for misconfiguration increases as does the number of policies. Misconfigurations can easily lead to high profile security incidents, while multiple sets of separate policies can lead to gaps that are difficult to identify. A converged security platform provides holistic visibility into your organization’s policies and even makes it easier when you need to conduct compliance audits. Of course, the market has responded to this, and you can spend more money on third-party integration and management tools, or developers that can build custom integrations for you. However, CISO’s live in the real world and do not have unlimited budget, nor do they typically want to own a software development life cycle for home-built integrations. Just remember, more vendors and more products can easily mean more problems.
Is Your Security Stack Weighing You Down?
In addition to hurting your organization’s budget and security posture, point-security products also reduce your ability to be agile and innovate. You may need to manage an update schedule for each of your devices and products. While most vendors have automatic update options, the best practice is to test updates before putting them into production and monitor impacts after production. For example, a content update on a Palo Alto Networks PA-220 Firewall is estimated to take up to 10 minutes.* If you have 1,000 PA-220s, that is more than 166 hours of update time, not including downloading, testing, and verifying. Updates to the device’s firmware or operating system will likely take longer and can lead to outages or device failures. All this time spent on maintaining what you already own can slow other projects in your organization.
“[Content update] installation can take up to 10 minutes on a PA-220 firewall” * Source
Beyond your organization’s ability to innovate, you should also consider the impacts on yourself or your team. Most security products require specialized technical expertise. This can make hiring challenging, especially if you need someone who can manage multiple aspects of your deployment. This means that hiring cycles will take longer, work/life balance may be compromised, and new hire ramping time is increased. Furthermore, complex deployments can make it difficult for skilled individuals to be promoted or take vacation time.
Your security stack represents a significant investment, but is it serving all users, locations, and applications? The costs of deploying and managing your own security architecture will often lead to compromises. You may have a few datacenters and probably backhaul traffic to them to secure. But often enough due to performance and other requirements, you may also be excluding specific locations, users, or applications from some or all security functions. This creates inconsistency in your security posture and user experience and will hurt your organization.
SASE Is the Way
You probably have heard of the Secure Access Service Edge or SASE, a term that Gartner coined in 2019. SASE is the way forward for most modern organizations and represents the convergence of networking and security capabilities delivered from the cloud. This allows organizations to remain agile and flexible, reducing complexity, while securing and enabling their users. The SASE market is relatively new, but there are already multiple vendors who want your business.
When looking at SASE, don’t forget about simplicity, many vendors don’t have converged solutions and the complexity of legacy technology still lurks in their products. Management time and policy sets should be reduced, while deployments and new feature adoption should be seamless. Updates are the vendor's responsibility, keeping you more secure and giving you time for other projects. You may have heard the acronym K.I.S.S. before, but I’ve changed it a bit for a SASE world: Keep It Simple & Secure.
“When we learned about the Cato solution, we liked the idea of simple and centralized management. We wouldn’t have to worry about the time-consuming process of patch management of on-premise firewalls,” – Alf Dela Cruz, Head of IT Infrastructure and Cyber Security at Standard Insurance