Should You Be Concerned About the Security of SD-WAN?

Traditional hub-and-spoke networking has enterprises backhauling WAN traffic from branches over MPLS circuits to a central site and applying security policies before sending the traffic to the cloud or the public Internet. This practice has become prohibitively slow, inefficient and costly as more and more branch traffic is intended to go to the cloud or the Internet.

SD-WAN has emerged as a popular alternative to MPLS. But for SD-WAN to provide better-than-MPLS cloud and Internet performance traffic, backhaul must be eliminated and sent directly to the Internet. This begs the question: How can SD-WAN use direct Internet access when SD-WAN includes no protection against Internet-borne threats?

Without an SD-WAN standard, enterprise customers can’t make assumptions about what an SD-WAN solution provides—especially when it comes to security. Many SD-WAN vendors take a do-it-yourself (DIY) approach such that the customer organization must piece together the necessary security components. This can lead to isolated or daisy-chained “point” products that are a challenge to maintain. Cato Networks, on the other hand, fully converges security into the network itself so that it is holistically available to all users across the network.

The Cato Approach to Security of SD-WAN

Cato believes the DIY approach is just too complicated and may create gaps that leave the enterprise vulnerable to a range of threats. It puts the enterprise in charge of security patches, upgrades, and updates all of which places an unnecessary burden on security administrators. What’s more, deploying a full security stack in each branch location is complex, costly and too much of an administrative burden.

The unique characteristic of Cato’s SD-WAN as a service (SDWaaS) is the convergence of the networking and security pillars into a single platform. Convergence enables Cato to collapse multiple security solutions such as a next-generation firewall, secure web gateway, anti-malware, and IPS into a cloud service that enforces a unified policy across all corporate locations, users and data.

Cato’s holistic approach to security is found everywhere throughout the Cato Cloud platform:

1. At the PoP – The Cato Cloud has a series of Points of Presence around the world, and this is where customer traffic enters the Cato network. Only authorized sites and mobile users can connect and send traffic to the backbone. The external IP addresses of the PoPs are protected with specific anti-DDoS measures. All PoPs are interconnected using fully-meshed, encrypted tunnels to protect traffic once it is on the network. The Cato PoP software includes a Deep Packet Inspection (DPI) engine built to process massive amounts of traffic at wire speed including packet header or payload.
2. At the Edge – Customers connect to Cato through encrypted tunnels established by appliance devices (called Cato Sockets); IPsec-enabled devices such as firewalls; or client software (for mobile users). These connectivity options support a range of security features to ensure that only authenticated branches and users can connect and remain active on the network.
3. On the Cato Cloud network – Cato Security Services are a set of enterprise-grade and agile network security capabilities, built directly into the cloud network as part of a tightly integrated software stack. Current services include a next-generation firewall (NGFW), secure web gateway (SWG), advanced threat prevention, and network forensics. Because Cato controls the code, new services can be rapidly introduced without impact on the customer environment. Customers can selectively enable the services, configuring them to enforce corporate policies.
   • Next Generation Firewall – The NGFW supports the definition of LAN segments as part of the site context. This helps to isolate specific types of traffic that carry regulated or very sensitive data, such as payment data. The NGFW supports both application awareness and user awareness, so policies can be created according to the proper context. Other features include WAN traffic protection and Internet traffic protection.
   • Secure Web Gateway – SWG allows customers to monitor, control and block access to websites based on predefined and/or customized categories. Cato creates an audit trail of security events on each access to specific configurable categories. Admins can configure access rules based on URL categories.
   • Advanced Threat Prevention – Cato provides a variety of services designed to prevent threats from entering the network, including anti-malware protection and an advanced Intrusion Prevention System (IPS).
   • Security Analytics – Cato continuously collects networking and security event data for troubleshooting and incident analysis. A year of data is kept by default.

For details about all these security features and their capabilities, read the white paper Cato Networks Advanced Security Services. Learn about Cato Networks adding sophisticated threat hunting capabilities.

The Benefits of Security Delivered from the Cloud

Because Cato’s security is delivered as a cloud service, customers are relieved of the burden of maintenance and updates of the devices and services. Nor do customers need to be concerned with sizing or scaling network security, as that is all done automatically be Cato. Customers control their own policies while Cato maintains the underlying infrastructure. As for staying current with threats, Cato has a dedicated research team of security experts that continuously monitor, analyze and tune all the security engines, risk data feeds, and databases to optimize customer protection.

Enterprises of all sizes are now able to leverage the hardened cloud platform that is the Cato Cloud platform to improve their security posture and eliminate concerns about SD-WAN security.