SD-WAN and Security: The Architecture is All that Matters

March 19, 2018

For the past two years, Cato Networks has led a revolution in enterprise networking: the convergence of software-defined wide area networks (SD-WAN) and network security delivered as a single cloud service. For decades, networking and security evolved as silos, creating separate point products in each category. Convergence is the antithesis to bundling of point solutions. It means the architectural integration of discrete components, by design, into a single, vertically integrated solution. Cato was the first company that decided to tackle the convergence of networking and security. We built our cloud service to address the connectivity and security needs of the modern enterprise from the ground up. Cato Cloud delivers affordable and optimized global SD-WAN with built-in multi-layer network security stack for all locations, cloud resources, and mobile users.

Security was never a strength of SD-WAN companies and legacy telcos. SD-WAN isn’t built to improve security, but instead address the rigidity, capacity constraints, and high costs of MPLS. Security in the context of SD-WAN was needed to encrypt the SD-WAN overlay tunnels over the Internet. This narrow security focus provided no protection against Internet-borne threats such as phishing, malicious websites, and weaponized e-mail attachments. When network security could no longer be ignored, SD-WAN companies partnered with network security vendors to create a “bundle” of non-integrated products the customer had to buy, deploy and maintain. In essence, what IT did before SD-WAN, namely deploy networking and security in silos, was reintroduced as a “partner offering.” Early announcements from Velocloud and more recently from Aryaka tell the same story.

Cato founders decided to go beyond marketing and “bundles” and literally break the networking and security silos. They had the vision and the track record. Our CEO, Shlomo Kramer, created the first commercial firewall as the co-founder of Check Point Software, the first Web Application Firewall at Imperva, and was a founding investor at Palo Alto Networks that built the first next-generation firewall. You can read his 25-year long perspective on the evolution of network security that led to the formation of Cato Networks and its unique architecture. Our CTO, Gur Shatz, created one of the leading cloud networks at Incapsula – specifically designed for DDoS protection. Shlomo and Gur brought to Cato the industry, product, and market perspective to disrupt the networking and security product categories.

What is the value of converged networking and security? Why did Cato decide to do it in the cloud instead of creating yet another appliance? Below are the key design principles of Cato and how they create value for enterprises versus SD-WAN point solutions and security bundles.

Software and cloud must form the core of the network

We live in a world of appliances — routers, SD-WAN, WAN optimization, and next-generation firewalls to name a few. Each appliance has its own internal code, detailed configuration, capacity specification and failover/failback setup. It creates a lot of work in sizing, deployment, configuration, patching, upgrading and retiring. All this work, times the number of appliances, just to keep the lights on. The appliance is one of the main reasons our networking and security architecture is so complex. In order to break the cost and complexity paradigm of enterprise networking, Cato uses software and cloud services that are inherently elastic, redundant and scalable. Cato removes the appliance form factor as the key building block of the network — all routing, optimization and security is delivered as pure software running on commodity servers in a distributed cloud network. No appliances, no grunt work for the customers, and no costly managed services. This is a fundamental architectural decision that stands in contrast to the rest of the SD-WAN field.

Full network security everywhere

Because Cato has converged its networking and security stack, it is available in all of our PoPs around the world. This eliminates the need for customers to create regional hubs, or deploy dedicate solutions to optimize and secure cloud resources. Cato’s security stack currently features a next-generation firewall with application control, URL filtering, anti-malware and IPS as a service. Cato inspects all traffic to stop malicious Command and Control (C&C) communications, cross-site threat propagation, drive-by downloads, and phishing attacks. A team of dedicated experts analyzes vulnerabilities, applying unique detection algorithms that leverage our broad visibility into all network traffic and security events. Cato fits well into a defense in depth model that applies for protection at different stages of the attack lifecycle including Internet/WAN, LAN, and endpoint. There is no need to cram multiple vendors into the same layer. Gartner recommends enterprises don’t mix multiple firewall brands (“One Brand of Firewall Is a Best Practice for Most Enterprises” [subscription required]) and most IT organizations standardize on one network security stack.

All traffic has to be controlled end-to-end

The separation of WAN and Internet traffic is driven by the legacy MPLS-centric design. Aryaka, for example, is focused on optimizing WAN traffic and recently bolted on security for “non-critical” Internet traffic. The optimized traffic isn’t secure, and the Internet traffic isn’t optimized. But what if you want to optimize access to a cloud service like Box.com? In that case, security isn’t applied and the customer can be compromised by a malicious file in a Box.com directory. Cato is holistically optimizing and securing all traffic, because Cato sends all traffic from the edge to be secured and optimized in the cloud network. This is the difference between secure-by-design and secure-by-duct tape.

Full control of the service code

Cato owns its security services code and does not resell third-party solutions. This has several key implications for enterprises:

Reduced exposure

In case of a vulnerability or a bug, Cato can resolve the issue in a matter of hours. With legacy SD-WAN, the customer must wait for a third-party fix to be provided.

Accelerated roadmap

Cato can rapidly evolve its code base, driven by customer feature requests and make all enhancements immediately available to all customers through the cloud service. Cato can also see how customers use the feature, and enhance these areas that have the most value to customers.

Lower costs

Cato doesn’t have to pay licensing fees to third-party solution providers, passing these cost efficiencies to customers. Bundled offerings require paying all parties that participate in the bundle.

Seamless scaling in the cloud

Scaling is one of the biggest challenges of security technologies. Deep packet inspection for threat protection, coupled with inline SSL decryption, places a significant load on edge devices. In contrast, networking devices don’t have the same scaling issues, because network-related packet processing is much lighter. Scaling is one of the reasons why networking and security remained largely independent over the years. Cato had addressed this issue by moving the security processing and global routing to the cloud. The only edge function is managing last-mile optimization. In this way, customers are freed from capacity planning, sizing, upgrading and repairing of edge devices, just because traffic volume or traffic mix has changed and the edge security device can’t keep up.   

Single management across all services

Cato provides a single pane of glass to manage all aspects of the network and the security: analytics, policy configuration, incident review, and troubleshooting. Bundling multiple products means customers must use multiple management interfaces increasing the potential for misconfigurations and poor security posture.

Self-service and co-managed network management model

to compensate for the complexity of the bundles, carriers often provide a managed service that blocks enterprises from making even the smallest changes to the network. The infamous “ticketing systems” and “read-only portals” means that every request takes a long time to complete. Because Cato is converged and focused on simplicity, our management application supports self-service or co-managed models. Enterprises can choose to manage their own network policies while Cato maintains the underlying infrastructure. Or, be supported by Cato’s partners for 24×7 monitoring.  

The bottom line

SD-WAN companies and legacy telcos, were forced to consider security as part of their SD-WAN offerings. However, bolting security into SD-WAN means that they are unable to use WAN modernization and transformation projects to streamline network security.

Cato Networks has architecturally solved the challenge of optimizing and securing enterprise WAN and Internet traffic for branches, datacenters, cloud resources, and mobile users — globally. Enterprises can dramatically cut the costs and complexity of running their network and security infrastructure, by using Cato’s converged cloud platform. This is the future of SD-WAN, and it is available. Today.

Yishay Yovel

Yishay Yovel

Yishay Yovel, Chief Marketing Officer, directs Cato’s global marketing. Yishay was previously the Vice President, Marketing for Trusteer, a financial fraud and advanced malware protection company, acquired by IBM in 2013. Prior to Trusteer, Yishay was Sr. Director, Product Marketing at Imperva. Yishay has over 25 years of experience in marketing and product management for enterprise software solutions in the areas of security, fraud prevention, storage, and mobile computing. Yishay holds a bachelor degree in Law from Tel Aviv University.