How to Solve the Cloud vs On-Premise Security Dilemma

Listen to post:
Getting your Trinity Audio player ready...


Organizations need to protect themselves from the risks of running their business over the internet and processing sensitive data in the cloud. The growth of SaaS applications, Shadow IT and work from anywhere have therefore driven a rapid adoption of cloud-delivered cybersecurity services.

Gartner defined SSE as a collection of cloud-delivered security functions: SWG, CASB, DLP and ZTNA. SSE solutions help to move branch security to the cloud in a flexible, cost-effective and easy-to-manage way. They protect applications, data and users from North-South (incoming and outgoing) cyber threats. Of course, organizations must also protect against East-West threats, to prevent malicious actors from moving within their networks.

Organizations can face challenges moving all their security to the Cloud, particularly when dealing with internal traffic segmentation (East-West traffic protection), legacy data center applications that can’t be moved to the cloud, and regulatory issues (especially in Finance and Government sectors). They often retain a legacy data center firewall for East-West traffic protection, alongside an SSE solution for North-South traffic protection.

This hybrid security architecture increases complexity and operational costs. It also creates security gaps, due to the lack of unified visibility across the cloud and on-premise components.

A SIEM or XDR solution could help with troubleshooting and reducing security gaps, but it won’t solve the underlying complexity and operational cost issues.

Solving the cloud vs on-premise dilemma

Cato Networks’ SSE 360 solution solves the “on-premise vs cloud-delivered” security dilemma by providing complete and holistic protection across the organization’s infrastructure.  It is built on a cloud-native architecture, secures traffic to all edges and provides full network visibility and control.

Cato SSE 360 delivers both the North-South protection of SSE and the East-West protection normally delivered by a data center firewall, all orchestrated from one unified cloud-based console, the Cato Management Application (CMA).

Cato SSE 360 offers a modular way to implement East-West traffic protection. By default, traffic protection is enforced at the POP, including features such as TLS inspection, user/device posture checks and advanced malware protection. See Figure 1 below. This does not impact user experience because there is sub-20ms latency to the closest Cato POP, worldwide.

Figure 1 – WAN Firewall Policy

Using the centralized Cato Management Application (CMA), it is simple to create a policy based on a zero-trust approach.  For example, in Figure 2 below, we see that only

  • Authorized users (e.g. Cato Fong),
  • Connected to a corporate VLAN,
  • Running a policy-compliant device (Windows with Windows AV active)

Are allowed to access sensitive resources (in this case, the Domain Controller inside the organization).

Figure 2 – An example WAN Firewall rule

In some situations, it is helpful to implement East-West security at the local site: to allow or block communication without sending the traffic to the POP.

For Cato services, the default way to connect a site to the network is with a zero-touch edge SD-WAN device, known as a Cato Socket.  With Cato’s LAN Firewall policy, you can configure rules for allowing or blocking LAN traffic directly on the Socket, without sending traffic to the POP. You can also enable tracking (ie. record events) for each rule.

Figure 3 – LAN Firewall Policy

When to use a LAN firewall policy

There are several scenarios in which it could make sense to apply a LAN firewall policy.

Let’s review the LAN Firewall logic:

  • Site traffic will be matched against the LAN firewall policies
  • If there is a match, then the traffic is enforced locally at the socket level
  • If there is no match, then traffic will be forwarded by default to the POP the socket is connected to
  • Since the POP implements an implicit “deny” all policy for WAN traffic, administrators will just have to define a “whitelist” of policies to allow users to access local resources.
The Business Case for Security Transformation with Cato SSE 360 | Download the White Paper

Some use cases:

  • prevent users on a Guest WiFi network from accessing local corporate resources.
  • allow users on the corporate VLAN to access printers located in the printer VLAN, over specific TCP ports.
  • allow IOT devices (e.g. CCTV cameras), connected to an IOT-camera VLAN, to access the IOT File Server, but only over HTTPS.
  • allow database synchronization across two VLANs located in separate datacenter rooms over a specific protocol/port.

To better show the tight interaction between the LAN firewall engine in the socket and the WAN and Internet firewall engines at the POP, let’s see this use case: In Figure 5, a CCTV camera is connected to an IoT VLAN. A LAN Firewall policy, implemented in the Cato Socket, allows the camera to access an internal CCTV server. However, the Internet Firewall, implemented at the POP, blocks access by the camera to the Internet.  This will protect against command and control (C&C) communication, if the camera is ever compromised by a malicious botnet.

Figure 4 – Allow CCTV camera to access CCTV internal server

All policies should both be visible in the same dashboard

IT Managers can use the same CMA dashboards to set policies and review events, regardless of whether the policy is enforced in the local socket or in the POP. This makes it simple to set policies and track events.

We can see this in the figures below, which show a LAN firewall event and a WAN firewall event, tracked on the CMA.

Figure 6 shows a LAN firewall event. It is associated with the Guest WiFi LAN firewall policy mentioned above.  Here, we blocked access to the corporate AD server for the guest user at the socket level (LAN firewall).

Figure 5 – LAN Firewall tracked event

Figure 7 shows a WAN firewall event. It is associated with a WAN firewall policy for the AD Server, for a user called Cato Fong.  In this case, we allowed the user to access the AD Server at the POP level (WAN firewall), using zero trust principles: Cato is an authorized user and Windows Defender AV is active on his device.

Figure 6 – WAN Firewall tracked event

Benefits of cloud-based East-West protection

Applying East-West protection with Cato SSE 360 brings several key benefits:

  1. It allows unified cloud-based management across all edges, for both East-West and North-South protection;
  2. It provides granular firewall policy options for both local and global segmentation;
  3. It allows bandwidth savings for situations that do not require layer 7 inspection;
  4. If provides unified, cloud-based visibility of all security and networking events.

With Cato SASE Cloud and Cato SSE 360, organizations can migrate their datacenter firewalls confidently to the cloud, to experience all the benefits of a true SASE solution.

Cato SSE 360 is built on a cloud-native architecture. It secures traffic to all edges and provides full network visibility and control. It delivers all the functionality of a datacenter firewall, including NGFW, SWG and local segmentation, plus Advanced Threat Protection and Managed Threat Detection and Response.

Related Topics