Solving the Challenges of SD-WAN Security with Cloud-Native

October 13, 2019

August 2019 saw a significant increase in the discovery of new malware according to statistics from AV-TEST – The Independent IT-Security Institute. In August alone, 14.44 million new malicious programs were registered by the institute, raising the total number of registered malware programs above 938 million. The sheer magnitude of these numbers provides a sobering perspective and helps quantify the threats facing enterprise networks.

As the WAN is the ingress and egress point of corporate networks, securing it is vital to mitigating risk and improving security posture. However, cloud services and mobile users make networks much more dynamic and difficult to secure than they were just a decade ago.

These fundamental changes in how we do business demand a new approach to WAN security. Appliance-based SD-WAN and MPLS (Multiprotocol Label Switching) simply aren’t designed to address these use cases. Fortunately, cloud-based SD-WAN offers enterprises a holistic WAN solution capable of meeting modern security challenges at scale with cloud-native software and security as a service.

But what makes cloud-based SD-WAN security and the security as a service model different? Let’s find out.

WAN Security and the Challenges Facing the Enterprise

A good starting point in explaining why cloud-native SD-WAN is so compelling from a security perspective is the shortcomings of two older WAN solutions: MPLS and appliance-based SD-WAN.

MPLS was designed to provide dedicated, reliable, and high-performance connections between two endpoints before cloud and mobile took over the world. However, there’s no encryption on MPLS circuits and any security features like traffic inspection, IPS (Intrusion Prevention System), and anti-malware have to be layered in separately. Appliance-based SD-WAN generally offers encryption, solving one of the problems associated with MPLS, but it’s effectively the same story after that. SD-WAN appliances are not security appliances. For example, to achieve the functionality of a Next-Generation Firewall (NGFW), you need to add a discrete appliance at the network edge.

For both MPLS and appliance-based SD-WAN, the “add appliances to add security” approach has a number of shortcomings including:

  • Complex and difficult to scale. The more appliances you add, the more complex the network becomes. Not only does each additional appliance require more time investment, it introduces more potential for oversights that lead to costly breaches. A single misconfigured appliance can create a major security risk and manual configuration is conducive to oversight and errors.
  • Expensive. Each discrete appliance must be sourced, licensed, provisioned, and maintained, and the cost adds up fast.
  • Limited when it comes to cloud and mobile. Appliance-based architectures are inherently site-focused. There isn’t a simple way to add support for cloud most appliances, both from a security and connectivity standpoint.

Why SD-WAN Security with Cloud-Native Software & Security as a Service is a Game-Changer

The cloud-native network infrastructure supporting the Cato Cloud takes SD-WAN security to the next level by integrating security features to the underlying WAN fabric. Built from the ground up with modern enterprise networks in mind, Cato’s cloud-native infrastructure eliminates the need for most proprietary hardware integrations by baking-in security features, reduces complexity by providing a single management interface, and reduces the technical expertise and time investment required for WAN management.

Additionally, inspections of TLS traffic occur at the PoPs (Points of Presence) on Cato’s global private-backbone helping to secure traffic to and from the cloud efficiently. Further, with Cato’s Software Defined Perimeter, support for mobile users becomes simple and scalable.

In short, by shifting security functions to the cloud, Cato’s delivers security as a service model that brings cloud scalability, economies of scale, and agility to SD-WAN security.

Enterprise-Grade Cloud-Based SD-WAN Security Features

Now that we understand the architectural advantages of cloud-based SD-WAN security, let’s explore some of the specific features that set Cato Cloud apart.

  • NGFW. Cato’s NGFW inspects WAN and Internet-bound traffic and allows implementation of granular security policies based on network entities, time, and type of traffic. The NGFW’s Deep Packet Inspection engine classifies applications or services related to a given traffic flow without decrypting payloads. This helps the NGFW achieve full application awareness and contextualize traffic for more granular policy enforcement.
  • Secure Web Gateway (SWG). Malware, phishing, and similar attacks that originate on the Internet pose a real threat to enterprise WANs. SWG focuses on web access control to prevent downloads of suspicious or malicious software. Predefined policies exist for a number of website categories and enterprises can input their own custom rules to further optimize web safety within the WAN.
  • Anti-malware. To deliver enterprise-grade anti-malware functionality, the Cato Cloud takes a two-pronged approach. First, a signature and heuristics-based engine that is updated with the latest information from global threat databases scans traffic for malware. Second, Cato has partnered with infosec industry leader SentinalOne to incorporate artificial intelligence and machine learning to identify unknown malware that may evade signature-based checks.
  • IPS. Cato’s Intrusion Prevention System provides contextually-aware SD-WAN security. Customers benefit from the scale of the Cato network in the form of a more robust IPS. Cato Research Labs use big data to optimize IPS performance and reduce false positives and false negatives.
  • Managed Threat Detection and Response Service (MDR). With MDR, enterprises can offload compromised endpoint detection to Cato’s security operations center (SOC). With MDR, enterprises not only reduce the support burden on in-house staff, they minimize one of the key drivers of damage created by malware: dwell time. With MDR, Cato’s SOC works to rapidly identify and contain threats as well as advise on remediation. The SOC team also provides monthly reports that help quantify network security incidents (here’s a genericized example report for reference (PDF)).

Cato Offers Modern and Scalable SD-WAN Security

As we’ve seen, the complexities and cost of sourcing, provisioning, patching, and maintaining a fleet of appliances are abstracted away with security as a service. Cloud-based SD-WAN offers a number of inherent advantages appliance-based SD-WAN and MPLS simply can’t deliver. This is because cloud-native software and the security as a service model enable Cato to take a converged approach to networking and security. As a result, users benefit from an information security, operations, and business perspective.

This point is driven home by Cato customer Jeroen Keet, Senior Network and System Architect at Kyocera Senco: “Companies moving to the cloud should have a closer look at Cato. The integrated connectivity, security, and intelligence make it an evolutionary step forward for all businesses. If you are willing to use all of the functionality Cato Networks has to offer, it will bring significant financial, functional and IT management benefits.”

If you’d like to learn more about how Cato is revolutionizing SD-WAN security or need help choosing a WAN connectivity solution that meets your needs, contact us. If you’re still not convinced and would like to see Cato Cloud in action, you’re welcome to schedule a demo to see it live.

Dave Greenfield

Dave Greenfield

Dave Greenfield is a veteran of IT industry. He’s spent more than 20 years as an award-winning journalist and independent technology consultant. Today, he serves as a secure networking evangelist for Cato Networks.