What is Network Visibility?

November 19, 2019

When I read that less than 20% of IT professionals indicated their organizations can properly monitor public cloud infrastructure, it reminded me of the reoccurring network visibility conversations I have with network managers from around the globe. The dynamic and distributed nature of cloud workloads coupled with a mobile workforce make avoiding shadow IT and achieving granular visibility of network flows challenging for many enterprises.

Traditional VPN solutions enable connectivity for mobile and remote employees but do little to enable the same visibility and control possible on-premises. Routing traffic back through corporate headquarters for auditing isn’t a practical solution. Doing so hamstrings performance and limits the benefits cloud and mobile bring in the first place. Fortunately for enterprises, cloud-based SD-WAN solves this problem by making secure, monitored, and policy-enforced WAN connectivity possible across the globe, on-prem and in the cloud, without sacrificing performance.

But what exactly makes cloud-based SD-WAN different? Before we answer that, let’s take a closer look at network visibility and explore the challenges cloud and mobile create.

Network Visibility Defined

Network visibility is the collection and analysis of traffic flows within and throughout a network. At the most granular, enterprises may strive to achieve visibility down to the packet, user, and application level. Worded differently, network visibility is what enterprises generally aim to gain from network and security monitoring tools.

Granular network visibility brings several benefits to the enterprise. With in-depth network visibility, organizations can improve security through stricter policy enforcement, rapid detection of malicious behavior, and reduction in shadow IT. Additionally, network visibility can improve network analytics and application profiling. This, in turn, enables better reporting, more informed decision making, and improved capacity planning.

Network Visibility Challenges Created by Cloud and Mobile

One of the biggest challenges enterprises face with network visibility is addressing blindspots created by cloud and mobile. It is easy for an enterprise to fall into a false sense of security because they can view all the traffic traversing MPLS links. The problem is today enterprise WANs are a mix of MPLS, Internet-based VPNs, mobile users, and cloud services. Under those circumstances, traditional monitoring tools simply aren’t able to provide visibility across the entirety of the WAN.

Traditionally, network visibility within the WAN has been made possible by SIEM (security information and event management) solutions and network management systems that aggregate packet flow data from multiple security and network monitoring tools such as security appliances, firewalls, and endpoint sensors. While these tools can be made to work effectively when traffic is restricted to the WAN, they begin to fall apart when cloud and mobile come into play.

For example, endpoint sensors generally can’t run on mobile devices. Similarly, capturing application-level visibility on traffic to and from cloud datacenters becomes a major challenge. This is because each cloud platform often comes with its own set of security policies and protocols creating silos and blindspots within the network. The fact that traditional monitoring tools, like SNMP (Simple Network Management Protocol) and many agent-based solutions, simply don’t work in the cloud makes things worse. Further, because they can obscure the data from network sensors, Network Address Translation (NAT) and encryption reduce the usefulness of the sensors and can stifle packet inspection efforts.

Another downside to the traditional approach to network visibility and packet inspection is that it is tied to physical or virtual site-specific devices such as Next-generation Firewalls (NGFWs), Secure Web Gateways (SWGs), and Unified Threat Management (UTM) appliances. Each location within the WAN requires its own set of appliances that must be sourced, provisioned, and maintained. The alternative is to backhaul all traffic to a central location on the WAN for inspection, which creates latency and impacts performance.

As a result, the appliance-based approach to network visibility and security scales poorly. The more appliances an enterprise has, the more complex the network becomes. Appliances also inherently have capacity constraints that limit how much traffic can be inspected and analyzed without a hardware upgrade. Additionally, not only do appliances have to be provisioned and deployed, they have to be maintained, patched, and eventually replaced. As the enterprise grows, this can become a patchwork of applications with varying configurations, firmware revisions, and policies. The result is limited network visibility and potential security vulnerabilities created by oversight or policy deviations between sites.

However, the best way to conceptualize the network visibility challenges facing the modern enterprise may be to consider the task of securely connecting mobile users to resources in the cloud. In this scenario, if enterprises wish to gain some level of visibility over the data flows, mobile users traditionally must connect via a VPN back to on-premises appliances for auditing and inspection. The traffic is then routed on to a local Internet access point or across the WAN to a centralized and secure Internet access point before making its way to its destination in the cloud. This approach creates significant impact on performance, making it unattractive to most enterprises.

This is one of the reasons over half of the enterprises we surveyed reported they let mobile users connect directly to the cloud. Unsurprisingly, over half of the respondents also indicated that “lack of visibility and control” was their biggest challenge when it comes to providing mobile users access to business applications.

How Cloud-Based SD-WAN Enables Complete Network Visibility

As we can see, the traditional appliance-based approach left enterprises facing an unattractive tradeoff: sacrifice performance for some level of security and visibility or sacrifice network visibility in the name of performance. Cato’s cloud-based SD-WAN solves this problem by shifting the paradigm away from an appliance-based approach that is bound to physical locations.

The reason Cato Cloud is different stems from its global SLA-backed private backbone and cloud-native network infrastructure that bakes security and monitoring into the network. The backbone consists of 45+ Point of Presences (PoPs) across the globe and Cato strives to have a PoP within 25 milliseconds of any Cato user. Within the Cato Cloud, the cloud-native network infrastructure provides the network security and monitoring features that used to require discrete on-premises appliances.

As opposed to having network traffic routed through an on-premises appliance, mobile users can connect to the Cato Cloud using Cato’s mobile client. This enables secure and optimized mobile connectivity to cloud applications and WAN resources. Mobile users get the same protection and performance as they would on-premises.

IT also benefits with this cloud-based approach to WAN connectivity. With Cato Cloud, network complexity is reduced while network visibility is increased, streamlining operations while enhancing security. Features that make this possible include:

Next-generation Firewall (NGFW)

Cato’s built-in NGFW functionality enables application-level awareness of network traffic without deploying multiple appliances. Unlike on-premises appliances, Cato’s NGFW provides enterprises the benefit of unlimited scalability and full traffic inspection without forced upgrades.

Identity-Aware Routing

In addition to enabling the business process, QoS (Quality of Service) and high-level policy abstraction, Cato’s revolutionary identity aware routing engine makes business-centric network visibility possible. IT can view activity and network flows at the site, group, host, and user levels to improve network planning.

Managed Threat Detection and Response (MDR)

Cato’s MDR offers enterprises zero-footprint network visibility by gathering complete metadata for all WAN and Internet flows without deploying any network probes.

Cato Helps Enterprises Gain the Network Visibility Modern Enterprises Demand

The takeaway here is simple: because Cato provides a converged WAN platform, it can provide granular network visibility in a simple and scalable manner. By shifting away from an appliance-based approach to WAN management, Cato brings the benefits of the cloud to the WAN. As a result, Cato customers are seeing benefits in the real world and improving network visibility and performance by making the switch to Cato Cloud. For example, after choosing Cato over appliance-based SD-WAN and MPLS, Nathan Trevor, IT Director at Sanne Group, was quoted as saying: “Now I can open a Web browser and see the state of connectivity for every single site globally. I can even see down to a single person and how much bandwidth (s)he is using. Cato is powerful beyond belief.”

You can read more about Sanne Group’s use case in this case study. If you’d like to learn more about Cato Cloud or see it in action for yourself, contact us or schedule a demo today.

Dave Greenfield

Dave Greenfield

Dave Greenfield is a veteran of IT industry. He’s spent more than 20 years as an award-winning journalist and independent technology consultant. Today, he serves as a secure networking evangelist for Cato Networks.