Today, Cato introduced the first, identity-aware routing engine for SD-WAN. Identity awareness abstracts policy creation in Cato Cloud from the network and application architecture, enabling business-centric routing policies based on user identity and group affiliation. It headlines a series of SD-WAN enhancements we’re making today to Cato Cloud. You’ll be able to learn more about identity awareness and see those improvements in action in our upcoming webinar when director of product management, Eyal Webber-Zvik, and I demo Cato Cloud.
Problems of Routing
Enterprises have long sought to make networking easier — easier to configure, easier to deploy and easier to manage. Essential to that goal has been abstracting network policy definition to better mirror business context.
Legacy networks route traffic based on IP address or subnet, information that bears little resemblance to the business. Policies are, in effect, machine-aware, treating a device’s application traffic the same even when network requirements vary greatly. While SD-WANs made application-aware routing a reality, we remain limited by their lack of granularity, unable to accurately reflect business context in our networks.
Identity awareness transforms routing
Identity-awareness completes the evolution of routing by steering and prioritizing traffic based on organizational entities — team, department, and individual users. Adding identity attributes to networking policies allows Cato to deliver:
- Business process QoS where prioritization is based not just on application type but the specific business process.
- Highest level of policy abstraction where route policy definition naturally extend routing policies to the user independent of their device or location — whether in the office or on the road. Policies are easier to define and fewer policies need be instantiated and maintained, simplifying network management.
- Business-centric network visibility allows detailed insight into the activity of all business entities — sites, groups, hosts, office users and mobile users. IT can quickly see how business entities use the network to help with network planning and scaling.
With identity-aware routing, business-critical voice calls, such as from executive or sales, can be prioritized over other calls; file transfers, normally given low priority, can be prioritized when involving business-critical processes, such as financial transactions in a financial institution.
Cato implements identity-aware routing seamlessly without changing the network infrastructure or the way users work. Microsoft Active Directory (AD) data is dynamically correlated across distributed AD repositories, and real-time AD login events to associate a unique identity with every packet flow. Organizational context, such as groups and business units, is derived from the AD hierarchy.
Real-time Analytics and Other SD-WAN Enhancements
In addition to identity awareness, Cato introduced or enhanced numerous Cato Cloud SD-WAN capabilities including:
- Multi-segment, policy-based routing dynamically selects the optimum path at each segment — the first mile, middle mile, and last mile. Segment-specific protocol acceleration technologies maximizes global throughput. Using the robust DPI engine underlying Cato Cloud, we’re able to detect and classify hundreds of SaaS and datacenter applications regardless of port, protocol, or evasive technique and without SSL inspection. Applications are routed based on real-time link quality or preferred transport.
- Real-time network analytics expands Cato robust reporting for advanced troubleshooting. IT managers can view jitter, packet loss, latency, packet discarded, throughput, and dropped indicators with graphs for both upstream and downstream traffic as well as the top hosts and applications for real-time and historical traffic. Mean opinion score (MOS) ratings provide real-time insight into the voice quality across Cato Cloud.
- Affordable and simple high availability (HA) deployment has been expanded to include more HA options. Cato Socket, Cato’s SD-WAN appliance, supports a broader mix of active/active and active/passive failover configurations for MPLS and Internet connections. Cato’s Affordable HA carries no additional recurring charge and deployment is simple with zero-touch provisioning and needing just a private or public IP address.
- Intelligent last-mile resilience has been improved to include flow-by-flow packet duplication and fast packet recovery as part of Cato’s Multi-Segment Optimization. Last-mile congestion, a significant cause of packet loss, is also mitigated through advanced QoS support for upstream/downstream bandwidth.
- Cloud and WAN traffic optimization using Cato’s Multi-Segment Optimization reduces latency by routing traffic along the optimum path to the destination site (WAN traffic) or to the entrance of the cloud service (cloud traffic). A variety of TCP enhancements increase throughput when accessing cloud and WAN resources.
“We founded Cato on the premise that IT needed a new kind of carrier, one where simplicity isn’t just a mission statement but part of the company’s DNA,” says Shlomo Kramer, co-founder and CEO of Cato Networks. “Identity awareness adds business context to our end-to-end, converged and secure MPLS alternative, making it easier and simpler for IT to align with today’s dynamic business requirements and deliver an optimal user experience, everywhere.”
To learn more about identity-aware routing and see Cato’s new secure SD-WAN capabilities in action, click here to join our upcoming online demonstration of Cato Cloud.