Customer
Success
Stories

O-I Taps Augmented Reality and Cato SASE Cloud to Realize “Impossible-to-Count” Savings O-I Needed a Quick Digital Transformation For many organizations, digital transformation can be a painful experience that consumes lots of time and resources. If you’re a small IT department at a large enterprise, a single solution that can transform and simplify several functions at once can be a big transformation enabler. Such was the case with O-I, formerly Owens Illinois, one of the world’s leading glass bottle and jar manufacturers. In just a few months, O-I deployed the Cato SASE to 200 locations, boosting cloud and internal application performance, enabling work-at-home for its 24,000 employees, and beefing up security across 70 plants in 19 countries.   Before Cato, O-I’s carrier-based MPLS network was showing signs of age in a cloud-enabled, hybrid work environment. “We were a long-term traditional MPLS customer with the typical routers on the edge, network-based firewall appliances, and legacy VPN concentrators,” says CIO Rodney Masney. “As we reached the end of our agreements, we felt the time had come to rethink our approach to networking and security.”  O-I had been transitioning applications to the cloud, with a broad implementation of Microsoft 365 and plans for other SaaS and cloud services. “There simply wasn’t enough bandwidth for all we had to do, whether it was SharePoint access, Microsoft Teams video conferencing, or working with our other cloud and internal applications,” says Masney. “We needed a cost-effective way to increase bandwidth to our locations and to the cloud.”   Security had always been a top priority of Masney’s relatively small IT team and maintaining and refreshing multiple legacy firewall appliances took time and resources away from transformation initiatives.   Perhaps the final straw was the sudden explosion of the COVID-19 epidemic. “We had to send thousands of employees home where it was challenging for our legacy VPN to provide the bandwidth and utility executives and other staff needed every day to get their work done,” says Masney.   In summary, OI faced a lot of challenges all at once. “Swizzle all that together and you come to the sudden realization that you need to do something transformational,” says Masney.   O-I Crafts and RFP, Chooses Cato SASE O-I put out an RFP to find solutions for its various issues. “We sent RFPs to several suppliers, including our incumbent, and looked at a range of alternatives, from continuing with our current provider at lower cost to solutions that could provide a total transformation.   After some research, Masney’s team narrowed the choices down to two principal contenders, a major security solution provider and the Cato SASE. “I liked the other provider’s technology from a security perspective, and it worked well,” says Masney, “but it was a lot more complex and time consuming to deploy than the Cato SASE.”  After doing proofs of concept for both, Masney’s team felt strongly that Cato was the best solution for O-I in terms of technology, cost, ease of deployment, and support. Masney knew that with a team so committed to the Cato solution, he would get the best results.   Cato SASE Cloud optimally connects all enterprise network resources, including branch locations, the hybrid workforce, and physical and cloud datacenters, into a secure global, cloud-native service. Connecting a location to Cato is just a matter of installing a simple Cato Socket appliance that links automatically to one of Cato’s 75+ Points of Presence (PoPs) and its fast, global private backbone. Cato Edge SD-WAN extends the Cato SASE Cloud to provide prioritized and resilient connectivity over multiple last-mile links in physical locations. At the same time, Cato SDP Client and Clientless access enable secure and optimized application access for users everywhere, including at home and on the road.   Cato’s cloud-native security edge, Cato SSE 360, converges a Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), Zero Trust Network Access (ZTNA), and Firewall as a Service (FWaaS) with Advanced Threat Protection. It fully enforces granular corporate access policies on all applications on-premises and in the cloud, protecting users against threats and preventing sensitive data loss.   O-I’s deployment of the Cato solution to almost 200 locations and thousands of home users was quick and easy. “We’ve installed Cato to internal locations, the cloud, and home and hybrid work users at a much faster pace than we ever thought possible,” says Masney. “We don’t have to wait weeks or months for circuits to be upgraded or changed like we did with traditional MPLS. The Cato Sockets just show up at our plants, we connect them, and off we go.”  Cato Delivers Transformation with Cost Savings  The business benefits of the switch to Cato have been dramatic. “Cato has transformed our ability to connect to our network in a very different, meaningful way,” says Masney. “People working at home and the office get much better throughput for both internal and cloud application performance with much higher levels of security. The Cato solution has improved our ability to service our plants, including those in obscure locations, by collaborating using MS Team’s video and audio, which didn’t work very well before. MPLS circuits are expensive in some areas but with Cato we can get tens or hundreds of megabits at a very favorable cost.”   Hybrid work has also been a big success thanks to Cato. “The VPN client is a real treat,” says Masney. “It’s easy to deploy, works very well, and we haven’t seen any service issues. I’m really pleased with it.” Cato has since enabled O-I to move to a connected work policy that encourages employees to work at home but also provides the option to work at the office.   Since the Cato transition, O-I has started taking advantage of Microsoft HoloLens, an augmented reality application that allows engineers to troubleshoot plant manufacturing issues from afar. “If someone has a problem at a plant, an engineering expert at another location can just slip on a HoloLens headset, see for themselves exactly what’s happening, and give relevant, specific advice without having to hop on a plane. You can’t use HoloLens if your bandwidth is always getting tapped out. The savings we get with Cato and HoloLens are almost impossible to count.”   Masney estimates that with Cato alone he’s saving somewhere around 20 % in communications costs compared to the previous solution, even though he’s still running MPLS to some locations, while getting the security bonus Cato provides for both locations and home and mobile users.   He feels that the strong security services the Cato solution provides fit the purpose for his company. “It has improved our security posture immensely,” he says. “Cato is much simpler to deploy and quicker to value than other systems we evaluated,” says Masney.    He adds, “With Cato we have a good, solid sedan with the speed of a Porsche that got us exactly where we needed to go fast.”     

Forvis Tackles Digital Transformation and M&A Network and Security Challenges with Cato SASE Cloud Forvis Sought a Single Network and Security Solution for Digital Transformation and M&A Digital Transformation can be painful but tackling digital transformation and mergers and acquisitions (M&A) at the same time is a particularly daunting challenge. Just ask John Bowles. Bowles was the Chief Information and Digital Officer at Dixon Hughes Goodman LLP (DHG) when in June 2020 the accounting firm merged with BKD, another leading accounting firm, to form Forvis. Today Bowles is the CIO of Forvis, which ranks eighth on Inside Public Accounting’s 2022 list of top 100 U.S. accounting firms. As with many mergers, DHG and BKD had their own infrastructure, which led to an operational challenge. “We had to integrate two very different networks with different staff models,” says Bowles. Ultimately, the team decided to standardize on Cato. “The Cato network run by DHG required very little labor to manage and maintain. We really liked Cato for that reason. The network on the other side required a few more people to manage and maintain.” Bowles and his team began migrating the BKD sites onto Cato. This wasn’t the first time they faced a site migration with Cato. Prior to the merger, Bowles led DHG’s transition from MPLS to Cato. MPLS had been the network solution enabling DHG’s thin client architecture, which connected its staff to centralized datacenter services. “MPLS served us pretty well, but it was expensive, complex, inflexible, and took forever to provision to new locations,” says Bowles. Internet access was provided locally at each site. “We tried backhauling Internet traffic, but it was too complex and too much of a bottleneck to make everyone happy,” he says. Bowles Considers SD-WAN Solutions, Chooses Cato Aside from the drawbacks of MPLS, it was the challenge of balancing digital transformation with mergers and acquisitions that first led to the decision to deploy a Cato SASE. “Even before the BKD merger, we were growing fast, bolting on other new companies at the same time as the technology landscape around us was transforming dramatically,” says Bowles. One strategy for addressing both challenges was to increase the adoption of cloud and managed services. However, doing so created network and security issues that made MPLS look increasingly obsolete. Bowles and his DHG team started investigating SD-WAN as a more agile, cloud friendly alternative to MPLS. “It was a natural progression,” he says. “We didn't know anything about SASE at the time and approached Cato Networks first as an SD-WAN solution.” They evaluated the SD-WAN market with an eye on operational efficiency. “Nobody wanted a small army of network engineers maintaining a very complex environment. We wanted a simple solution that would allow us to be responsive and agile and could scale without us having to redesign or refactor our network,” he says. Other factors in their buying process were network performance and security. “We sought a solution that performed consistently well regardless of country or location, and we were keen to minimize our risk and improve our compliance management.” And Bowles needed a solution that would support the growth and transformation of the firm while maintaining consistent standards and a common network and security infrastructure across it all. “I would say jokingly that it was like driving the car down the highway and changing the tires at the same time,” says Bowles. All of which led him to Cato. “When you take all those factors into consideration, you eliminate a lot of the other hardware and mixed hardware/cloud approaches.” SASE: The Right Solution for Transformation and M&A Bowles decided to deploy Cato SASE Cloud, which would “allow us to scale and be more agile,” he says. Completely cloud-based, Cato SASE Cloud would give Bowles the agility he needed to tackle M&A and transformation challenges simultaneously. Cato optimally connects all enterprise network resources, including branch locations, the hybrid workforce, and physical and cloud datacenters, into a secure global, cloud-native service. Connecting a location to Cato is just a matter of installing a simple Cato Socket appliance that links automatically to one of Cato’s 75+ Points of Presence (PoPs) and its fast, global private backbone. Cato Edge SD-WAN extends the Cato SASE Cloud to provide prioritized and resilient connectivity over multiple last-mile links in physical locations. At the same time, Cato SDP Client and Clientless access enable secure and optimized application access for users everywhere, including at home and on the road. Cato’s cloud-native security edge, Cato SSE 360, converges a Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), Zero Trust Network Access (ZTNA), and Firewall as a Service (FWaaS) with Advanced Threat Protection. It fully enforces granular corporate access policies on all applications on-premises and in the cloud, protecting users against threats and preventing sensitive data loss. Bowles deployed Cato SASE Cloud to locations gradually in high-availability arrays so if a location lost one circuit it wouldn’t lose the service. When it came to integrating BKD, he started with their smaller offices. “Cato installation is easy, and we can provide our virtual service model more effectively if we’re all on the same network.” He’s also deploying remote access to all 5,400 staff across the merger and expects to finish everything by the middle of summer 2023, working around tax season, when any unnecessary change is frowned upon. Robust Security and Agility for a Growing, Changing Enterprise Cato’s security services have been particularly suited to the firm’s needs. “As we grow, our attack surface grows as well,” says Bowles, “and we must protect ourselves from the growing sophistication of attacks.” With Cato SSE 360, there’s no need to worry about keeping up with security updates, upgrades, and appliance refreshes to scale and tackle the latest threats. He can rely on SSE 360 to handle all that and provide the same robust security to locations, remote users, and cloud access. Cato SSE 360 also helps Forvis address its regulatory issues. “In addition to the highly regulated accounting industry, we practice in a lot of industries that have their own strict compliance standards,” says Bowles. “They want us to produce SOC 2 and other reports, so we need to know we have the systems, platforms, and controls in place to do so. We also work with a lot more third-party workers in North America and other continents who affect our security posture.” In all, with its ease of deployment, agility, fast networking, robust security, and consistent set of standards, Cato SASE Cloud has provided Forvis with the ideal solution to address its dual transformation and M&A challenges.

Gordon Brothers Achieves Major Cloud Migration, WFH Transition and Centralizes Security with Cato SSE 360 Gordon Brothers Needed a Network Solution for Cloud Migration and Security The cloud offers organizations agility, flexibility, scalability, and the means to ramp up new services with incredible speed. Migration to the cloud doesn’t happen all at once, however, and can be challenging for global organizations with lots of dispersed locations and IT solutions. Add in a global pandemic and you’re looking at a possible recipe for major business disruption. Such was the case for Gordon Brothers, a global enterprise that partners with companies, advisors, investors, and lenders to fuel growth, facilitate strategic consolidation, and finance new opportunities. David Cherenson, Director of IT Operations, sought a way to migrate globally dispersed applications to Microsoft Azure. “In 2017 our apps and data were spread across our main Boston datacenter, the Midwest, London, and some other locations,” says Cherenson, “all of which were connected with point-to-point circuits or site-site VPNs.” Security came from a mix of dispersed appliances with different capabilities and sets of policies, and management divided between IT and service providers depending on location. “We work with a lot of finance companies, so we’re always asked about security,” says Cherenson. “At that time, I felt security was all over the map.” Gordon Brothers’ small IT staff rarely had the time or resources to monitor network traffic consistently for suspicious activity. Cherenson felt strongly that he needed to centralize security and get the monitoring piece in place. Gordon Brothers Starts its Cloud Migration Gordon Brothers started its cloud shift with Office 365 and Azure Active Directory and then decided on a major Azure migration. They interviewed several IT cloud migration partners and looked at the proposals, but Cherenson couldn’t shake the feeling that something big was missing. “Nobody talked very much about networking,” says Cherenson, “except maybe how to connect directly to an Azure datacenter. How were we going to move things without impacting our users if the users, data, and applications were spread out all over the place? It was clear to me that we needed a network that could connect to all of them throughout the whole migration process so we could move things around transparently.” Cherenson started looking for a network solution that could help make the migration seamless. “I did a lot of research, talked to a lot of people, and looked at some companies,” says Cherenson. That was when he found Cato. “Right away I thought Cato was what I was looking for because we could use it to connect all of our offices, and even our remote users, to one central cloud.” He also realized that the Cato solution would also solve his security issues. “With Cato Security Service Edge (SSE) 360 we could centralize our security policy globally, rather than having to deal with different policies and brands of firewall appliances in different locations,” says Cherenson. “Other contenders had security features, but I really felt that with Cato, security was the DNA on which everything else was built, and that’s what I needed to sleep at night.” Cato was also the only alternative that connected remote users to the same network and security architecture as offices and the cloud. Cato SASE Cloud optimally connects all enterprise network resources, including branch locations, the hybrid workforce, and physical and cloud datacenters, into a secure global, cloud-native service. Connecting a location to Cato is just a matter of installing a simple Cato Socket appliance that links automatically to one of Cato’s 75+ Points of Presence (PoPs) and its fast global private backbone. Cato Edge SD-WAN extends the Cato SASE Cloud to provide prioritized and resilient connectivity over multiple last mile links in physical locations, while Cato SDP Client and Clientless access enable secure and optimized application access for users everywhere, including at home and on the road. Cato’s cloud-native security edge, Cato SSE 360, converges a Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), Zero Trust Network Access (ZTNA), and Firewall as a Service (FWaaS) with Advanced Threat Protection. It fully enforces granular corporate access policies on all applications on-premises and in the cloud, protecting users against threats and preventing sensitive data loss. Cherenson went to the CITO and told him why he thought they couldn’t go ahead with their cloud migration project until they figured out how everyone was going to connect to everything simultaneously. “I told him I thought we should tackle the networking piece first,” says Cherenson. “Fortunately, he said, ‘I think that’s a good idea.’” Cherenson did a proof of concept with Cato that went very well, and then moved to a pilot. “We started connecting our main offices and Boston datacenter just so we could try it out,” says Cherenson, “and we connected a small group of users with the Cato VPN client.” Cato Simplifies Security for Business Transformation Cherenson was excited about the security possibilities he saw with Cato during the pilot. “I realized very quickly that Cato SSE 360 took geography out of the equation. We could implement a global policy and use it to control all our network entry points and apply it to every single person on the network. We could also take advantage of Cato’s antimalware, IPS and all that other stuff and apply it not only to WAN traffic but to our Internet traffic as well.” Cato MDR, a part of SSE 360, would solve the monitoring issue. “Cato’s MDR service monitors the network for us and notifies us if they notice anything anomalous, malicious, or otherwise suspicious,” says Cherenson. “We didn’t get lots of those notifications at first, but certainly more than we get now, because we’ve used that information to keep tuning things over time.” With the pilot’s success, he decided it was time to connect anything to Cato that hadn’t been connected yet, including other offices, datacenters, and a pilot Azure environment they were testing. “Cato’s performance with Azure was really good,” says Cherenson, “so I felt we could have that conversation about doing a big migration.” Users didn’t notice any change during the Azure migration. “Let’s say we had a file share in our Boston datacenter. Over a weekend we could cut it over to Azure without having to change anything except DNS and the VPN client would route to the Azure datacenter in Virginia without anyone noticing anything.” Gordon Brothers Transitions to Work-At-Home in a Week March 2020 hit Gordon Brothers like a ton of bricks. “One day we were in the office and the next we weren’t,” says Cherenson, “but in a way we were lucky because I told my boss, ‘We have this pilot group on Cato and it’s working very well. I can get everyone on it pretty quickly.’ Fortunately, he agreed again and, so we did.” Most of the company was on Cato within a week. “We sent out emails to the staff with a few screenshots and the VPN client installers and tweaked as we went along.” Cherenson was concerned that he was putting all his remote access eggs in one basket, but he felt he had no other option. “Fortunately, it worked out really well,” says Cherenson. The Cato solution has paid for itself in cost savings and a quick ROI, but most importantly, it’s allowed Cherenson to eliminate some technical challenges and focus on strategic initiatives. “We’ve made a tremendous amount of overall progress in IT and business transformation in the past few years, and I think the implementation of Cato and SSE 360 were huge building blocks that enabled us to do that. We have a lot of things on our roadmap and now I don’t need to waste my time managing individual firewalls and circuits. “ Today, Cherenson has a quarterly call with the Cato MDR team who audit Gordon Brothers’ Cato configuration and make suggestions about how to tighten security. “I feel like we really have security under control now. And we keep making it better as Cato continues to come out with new features.”

James Walker Gains a Streamlined Network and Security Platform for Digital Transformation, Thanks to Cato  MPLS Was Not the Right Network Solution for Digital Transformation  MPLS is a good solution for branch offices accessing applications in a centralized corporate datacenter. In an era of digital transformation, work-at-home, and the cloud, however, MPLS has become much less practical and too expensive.   That was the predicament James Walker found itself in when it started planning its future digital transformation strategy. Based in Woking, UK, James Walker is one of the strategic business units under the James Walker Group. It specializes in the design and manufacture of high-performance sealing and joint integrity systems such as O rings and gaskets.   With 30 sites spread across the Americas, Europe, Africa, and Asia, James Walker initially relied on 20 MPLS and 10 IPsec connections for its office and factory connections. Its MPLS networks were distributed regionally in hub-and-spoke configurations, with different providers and breakout locations for Asia/Africa, Europe, and the Americas. In Europe there was an Internet breakout in the UK.   Twelve firewall appliances, also distributed regionally, handled IPsec VPN connections and security.   “The network was designed originally for the consumption of on-premises applications and services,” says Andrew Story, Senior Infrastructure Analyst. “When the world started changing and the cloud became more prevalent, we decided it was time to reevaluate our network and security strategy.”   For one thing, once cloud services were added it would no longer make sense for James Walker to backhaul data from two-thirds of the company’s locations through a central firewall in the UK. “In terms of performance and latency that certainly doesn’t make sense for an office in Hamburg accessing a cloud service based in Frankfurt,” says Story.   Joining together several MPLS hub-and-spoke networks and suppliers, plus 10 IPsec tunnels was complex and difficult to troubleshoot. “Our network was a beast,” says Story. “All it took was one thing to fail or not work correctly and we were sent down a troubleshooting rabbit hole to pinpoint where the issue was exactly. We would get calls at midnight that the Australian sites couldn’t talk to the ERP solution in our UK datacenter because one network wasn’t talking to the other.” In the meantime, Australia could not place orders or send out invoices.   With the diversity of the installed firewall appliance products, Story found himself managing eleven different rule sets. “If we had to make a change there was no way to do it globally. We had to make it individually on every single firewall,” says Story. He also had to keep each firewall up to date in terms of patches and firmware.   Finally, with all that diverse infrastructure, moving or opening new sites was time consuming. “We were moving one or two sites a year to new locations and the provision of MPLS services for each move was very difficult and took too long.”   James Walker Looks at SD-WAN, Chooses Cato SASE  Story started looking for network alternatives that were more suitable for his company’s cloud transition and digital transformation. He looked at SD-WAN solutions and SASE and quickly concluded that SASE was the way of the future. “We saw SASE as an evolution of SD-WAN such that typical SD-WAN solutions would not be around in a few years,” says Story. “It would all be SASE.”   Story had several requirements that ultimately led him to Cato. “We were looking for a solution that would bundle security with the network and have it all managed by someone else,” says Story, “and we wanted all the security done centrally with policies we could deploy easily. The goal was to make it as simple as humanly possible for us.”   Cato SASE Cloud optimally connects all enterprise network resources, including branch locations, the hybrid workforce, and physical and cloud datacenters, into a secure global, cloud-native service. Connecting a location to Cato is just a matter of installing a simple Cato Socket appliance that links automatically to one of Cato’s 75+ Points of Presence (PoPs) and its fast global private backbone. Cato Edge SD-WAN extends the Cato SASE Cloud to provide prioritized and resilient connectivity over multiple last-mile links in physical locations. At the same time, Cato SDP Client and Clientless access enable secure and optimized application access for users everywhere, including at home and on the road.   Cato’s cloud-native security edge, Cato SSE 360, converges a Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), Zero Trust Network Access (ZTNA), and Firewall as a Service (FWaaS) with Advanced Threat Protection. It fully enforces granular corporate access policies on all applications on-premises and in the cloud, protecting users against threats and preventing sensitive data loss.   Story liked that Cato would give James Walker the benefit of a high-performing global network without having to pay for it on their own. “We could access the Cato backbone at the nearest point and all our traffic would swing around those 18 time zones on a private network just for us.”   Deployment Was Quick. Platform Ready for Digital Transformation  After an initial POC, deploying Cato to all 30 locations was quick and easy and performance was excellent. “The cost has been roughly the same as our previous setup, but we get much more for that money,” says Story. “We get all that security, including IPS, which we didn’t have before, all managed by someone else. We no longer have to maintain firewall appliances and network hardware. We have multifactor authentication via Azure for our remote users. And we don’t spend nearly as much time troubleshooting network performance issues or outages. Cato does that for us.”  Cato’s support is far superior to the support Story was used to with his MPLS providers. “It’s like night and day,” says Story. “Our experience with our MPLS providers was terrible. We’d constantly have to chase them. We were often telling their engineers what they needed to do when they were supposed to be managing the network. Working with Cato and our new ISP is a breeze in comparison.”   Story can now configure, change, and manage all firewall rules centrally. “We’ve gone from about 500 rules to under 100,” he says, “and we don’t have go to eleven places to change them.”   The addition of IPS has improved the company’s security posture immensely. “When Log4j hit last year. Cato blocked over 1500 attempts to scan our network in the first weekend.   Visibility with Cato is also far superior to the previous solutions. “Everything in networking and security is visible on a single pane of glass,” says Story. “We can optimize the network from end-to-end so our users can access applications from anywhere and no matter where they are in the world. They just join the Cato network and egress close to wherever that application is.”   Story is in the process of deploying Microsoft 365 and a new cloud ERP system and looks forward to the cloud performance he’ll get, thanks to Cato’s PoPs and global network.   Overall, Cato has given James Walker the network and security platform it needs to jumpstart and fulfill its digital transformation goals. “With Cato we were able to deliver a huge amount of change in the middle of a global pandemic,” says Story, “with very little downtime.”  

Moveero Replaces MPLS, Simplifies Networking and Security with Cato SASE Cloud The Challenge: Simplify Without Risk When it comes to secure global WANs, keeping things simple can be as important as performance and reliability–particularly for a small IT team. Simplification was the goal for Dr. Faisal Jaffri, Global IT Director for moveero, a manufacturer of off highway wheels and wheel systems used in agriculture, construction, and material handling. Shortly after Jaffri came on board, moveero separated from former parent company GKN PLC and divested its Chinese business, leaving seven global locations, including manufacturing plants in Denmark and the UK and product development and testing centers in Italy and USA. The company’s global network was indeed complex. “We had an MPLS cloud connecting all our sites, with Internet breakouts in the UK and USA and Internet over MPLS In Denmark, says Jaffri. “I was managing five different suppliers just in the UK, eight if you include all the other sites.” There were also firewalls and network optimizers at each site managed by the internal IT team, VPN’s for remote connectivity, and a Web filtering service from a major provider. “With eight suppliers and all that equipment it was never easy to address problems that came up,” says Jarffri. “Sure, we had MPLS SLAs, but they’re not all that useful when the firewall and network optimization service levels don’t match,” says Jaffri. “We had to do a lot of work to make sure all those service levels came together as one.” “Sure, we had MPLS SLAs, but they’re not all that useful when the firewall and network optimization service levels don’t match” Since the Chinese business had been divested, there was ample opportunity for simplification and upgrading. “Our MPLS contract had been active for more than five years without any change in price or technology, which meant we were using old technology with no benefit from downward market pressure on pricing,” says Jaffri. Jaffri was also looking to relieve the small IT staff of mundane day-to-day management activities so it could focus on projects that would enhance the business. “With all those suppliers, we used to spend two to four hours every month just reviewing performance of each one.” Moveero Finds Simplicity with Cato It was time to simplify, upgrade, and reduce costs. Jaffri started investigating SD-WAN and SASE and put out an RFP seeking the functionality and capability he already had but delivered through one supplier at lower cost. He spoke to several other vendors, but the Cato SASE Cloud was the only one that looked to him like a true cloud architecture. “With the other options we would still have optimization and firewall appliances on site and perhaps one or two services such as Web filtering in the cloud,” says Jaffri. “As far as I was concerned, they were just putting a wrapper around what we already had and managing it for us.” Jaffri also looked to the future with his team, which was unlikely to grow. “Did I really want all that equipment on site needing to be maintained and supported?” Inherited security practices from previous ownership at moveero were outdated. “Our firewalls had almost 800 rules to manage,” says Jaffri. “That’s two rules for every person with an email account. We really needed to rationalize that rule set, but I didn’t see that happening with the other providers. Only Cato would manage the firewalls for us and let us start with a clean slate.” “Our firewalls had almost 800 rules to manage,” says Jaffri. “That’s two rules for every person with an email account. We really needed to rationalize that rule set, but I didn’t see that happening with the other providers. Only Cato would manage the firewalls for us and let us start with a clean slate.” Cato connects all global enterprise network resources — including branch locations, mobile users, and physical and cloud datacenters — into a single secure, global, cloud-native network service. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of robust security services to protect all traffic, including anti-malware, next-generation firewall, content filtering, and IPS. Connecting a location to Cato is just a matter of installing a simple Cato Socket appliance, which links automatically to the nearest of Cato’s more than 65 globally dispersed Points of Presence (PoPs). At the local PoP, Cato provides an onramp to its global backbone and security services. The backbone is not only privately managed for zero packet loss and 5 9’s uptime; it also has built-in WAN optimization to dramatically improve throughput. Cato monitors network traffic and selects the optimum path for each packet across the Cato backbone. Mobile users run across the same backbone, benefiting from the same optimization features, improving remote access performance. Cato Simplifies, Delivers, and Cuts Costs Jaffri decided to run a proof of concept to ensure Cato could deliver on all his requirements. Installing Cato was straightforward. “We dropped a Cato appliance onto each site, connected up the last mile link into the cloud and didn’t have to worry about anything else. If we needed anything, which wasn’t very often, we would just raise a request with Cato and it would be done. “We ran MPLS parallel to Cato at first, but it wasn’t long before we switched totally to Cato and were able to remove all that equipment,” says Jaffri. “We’ve had Cato for three years and it’s worked very well with almost no required maintenance. I have no complaints about performance.” “We ran MPLS parallel to Cato at first, but it wasn’t long before we switched totally to Cato and were able to remove all that equipment” Aside from Cato’s performance and reliability, Jaffri likes Cato’s environmentally friendly architecture. “It’s just two lightweight appliances drawing power rather than all those power-hungry firewalls, network optimizers, and other devices,” says Jaffri. He also likes the platform’s self-service model. “We raise a request and usually don’t have to wait long for it to get dealt with,” he says. Thanks to Cato’s self -service, local teams can raise their own issues with Cato, rather than having to wait for the moveero central office to do so, as they did with MPLS. Cato has also allowed the IT team to focus on other issues. “Cato has allowed me to reduce headcount and move our team’s focus to some new thinking that will benefit the business in the long run,” says Jaffri. “Thanks in part to Cato, we can look forward to continuing to evolve the function and greater benefits down the road.”

Grant & Stone Taps SASE Platform to Connect Offices, Showrooms, and Mobile Users for Better Agility and Control The Challenge: Poor Agility, Erratic WAN Performance Suppliers to builders and other trades have had few choices for WAN connections among datacenter applications, warehouses, showrooms, and wholesalers. They could pay for expensive MPLS services, which could take months to deploy. Or, they could rely on more affordable but sometimes complex VPN connections, which are susceptible to the vagaries of the public Internet and so are not always consistent and reliable in terms of performance—until SASE came along. With headquarters in High Wycombe, northwest of London, and 26 showrooms, wholesale, and retail branches throughout the Thames Valley, Grant and Stone previously relied on an IPsec site-to-site VPN mesh with 4G backup maintained by P&C Communications, an enterprise provider of voice and network solutions. Core business systems were hosted in a private cloud. “Anything from a major Windows update to a massive file transfer could eat up our bandwidth and freeze the network.” As with many VPN solutions, performance could be erratic. “We had very little visibility into the network or any ability to implement traffic control,” says Dave Oliver, Grant & Stone IT Manager. “Anything from a major Windows update to a massive file transfer could eat up our bandwidth and freeze the network.” The complex mesh architecture also made onboarding new locations time-consuming. “We needed to add new branches quickly, within days or weeks, not months,” says Oliver. A capital investment firm hired to steer the company’s growth performed a cyber audit, which found several security issues and made a number of recommendations. “The audit recommendations would have required us to put more edge security systems in place, making management even more complex than it already was,” says Oliver. Remote access also relied on a single aging network VPN gateway, which was an obvious single point of failure and reaching the end of its life. “We needed a new redundant solution with seamless security and good performance to support our traveling staff when they met with customers on the road,” says Oliver. Grant & Stone Launches its WAN Transformation Oliver decided to work with P&C Solutions to transition to a more flexible WAN infrastructure that could onboard new sites faster in the case of acquisitions and expansion. He was also looking for WAN failover to 4G LTE to maintain the connection to the firm’s cloud-based merchant system, better network visibility and control, an easier way to fulfill audit recommendations, and a better way to manage remote access and onboard mobile and WFM workers. “Everyone needs fast 24 X 7 access to our systems for quotes and stock checking to continue selling products to our customers,’’ says Oliver. “Everyone needs fast 24 X 7 access to our systems for quotes and stock checking to continue selling products to our customers.’’ Oliver had heard about the advantages of SASE and sought a SASE solution that would fulfill all his requirements. Together with P&C, he looked at several different options, but few could meet the company’s connectivity, security, redundancy, remote access, and management requirements. Some required deploying security appliances, which Oliver wanted to avoid. Only Cato fulfilled all his requirements. Cato connects all global enterprise network resources — including branch locations, mobile users, and physical and cloud datacenters — into a single secure, global, cloud-native network service. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of robust security services to protect all traffic, including anti-malware, next-generation firewall, content filtering, and IPS. Connecting a location to Cato is just a matter of installing a simple Cato Socket appliance, which links automatically to the nearest of Cato’s more than 65 globally dispersed PoPs. At the local PoP, Cato provides an onramp to its global backbone and security services. The backbone is not only privately managed for zero packet loss and 5 9’s uptime; it also has built-in WAN optimization to dramatically improve throughput. Cato monitors network traffic and selects the optimum path for each packet across the Cato backbone. Mobile users run across the same backbone, benefiting from the same optimization features, improving remote access performance. Grant & Stone Taps Cato for Network Agility and Control “P&C felt strongly that the Cato SASE solution would provide all the necessary services in an efficient, simple, all-in-one package,” says Oliver. “We can gather information about circuit quality at each branch and get security alerts for quick remediation of attacks or malware infection. Best of all, we can see which applications and Web sites are using the most bandwidth and implement traffic management rules to prioritize business-critical traffic.” Oliver was impressed with the management and network visibility provided by the Cato management portal. “Every facet of the Cato solution can be monitored and logged,” says Oliver. “We can gather information about circuit quality at each branch and get security alerts for quick remediation of attacks or malware infection. Best of all, we can see which applications and Web sites are using the most bandwidth and implement traffic management rules to prioritize business-critical traffic.” Oliver also loved the single-pane-of-glass management approach Cato provided. “Both my team and the P&C Helpdesk can review the same Cato platform for management and monitoring of alerts and events,” says Oliver. Deployment went smoothly, with dual connectivity at each site--a primary Ethernet or broadband connection and automatic 4G failover to maintain connectivity. “We also rolled out Cato’s VPN clients, which connected everyone to the Cato core, and made sure the right Cato security was in place,” says Oliver. “All site-to-site and Internet breakout traffic passes through Cato’s cloud-based NGFW. We also have subscriptions for Cato’s anti-malware and IPS services to protect all traffic passing through the network. Security at the core of the infrastructure helps us meet our audit and business requirements and maintain standards without having to maintain and manage a lot of security appliances.” In addition to better management, reliability, and security, Oliver found the resilience of the branch connections using fiber broadband and 4G backup made it possible to retire several expensive Ethernet circuits at the end of their contract, leading to considerable cost savings. “Not only did Cato meet all our requirements, but it also turned out to be the most affordable of all the solutions.”

finitia Ensures Reliable Connectivity and Security with Cato SASE Cloud from Inseya Challenge Custom management and technology services provider finitia ag needed a scalable solution that would provide location-independent connectivity and security for all edges – sites, remote users and cloud resources – as well as improving network performance and enabling rapid connection of new branches and cloud services with minimal technical effort. In addition, the solution should provide centralized management that enables corporate policies to be enforced at all times across all edges and connected cloud services. The new solution should also enable architecture firms, finitia's customers, to work virtualized in a VMware environment via remote access without any loss of performance. Solution Swiss IT security specialist Inseya AG proposed an innovative approach to this challenge based on the SASE (Secure Access Service Edge) model that converges network connectivity and security into a cloud service and managed via a single console. At the heart of the new solution is the Cato SASE Cloud which connects and secures enterprise locations (the data center and branch office) and cloud resources (such as AWS, Azure, Microsoft Office 365 as well as other cloud services) and mobile users. To connect new sites, finitia only had to install a Cato Socket, Cato’s zero-touch SD-WAN device, at each respective branch office. The Sockets establish encrypted tunnels across an existing Internet connection to the nearest Cato point of presence (PoP); Cato has 65+ PoPs worldwide. Once connected and admitted by the IT manager, the device automatically integrates the site into the overall enterprise network. Sockets send all outbound site traffic to the PoP, where networking and security policies get applied and traffic is then sent to the Internet or across the Cato global private backbone to its destination. Result As a result of Inseya and the Cato SASE platform, finitia now has a stable connection for prioritized transmission of data such as image and voice. Thanks to intelligent routing of data traffic, critical data is protected from network failure. The entire networking and security infrastructure can be easily managed from a single console. Granular security and networking policies can be uniformly enforced on all edges. Maximum transparency and detailed reporting of all IT activities simplifies administration. New locations, including home offices of finitia employees and customers, can be opened up quickly and securely. Users can work securely on multiple devices regardless of location and without any loss of performance. The IT department has less configuration and support work. This minimizes the risk of errors and keeps operating costs low. When modernizing the IT infrastructure, additional security components such as WAN firewalls and virus scanners can be purchased on a modular basis as required.

Vitesco Technologies Builds New Global Enterprise Network with Cato Business Division Spinoff Requires New Strategy With new companies comes the opportunity to do things right. Offices can tap the newest of designs and technologies. Users can be equipped with the newest phones and laptops. And IT can tap the newest in networking and security technologies. Such was the opportunity facing Vitesco Technologies. An international leader in intelligent and electrified drive systems for sustainable mobility, Vitesco had been spun out of Continental AG,  the German automotive parts manufacturing company, into a separate company. Previously, Vitesco’s locations had been connected via MPLS, but once the carve-out was announced, Joel Jacobson, Global WAN Manager at Vitesco Technologies, realized he needed a new approach to the company’s network and security architecture. “At the end of the day, we needed a way to support our 70 locations and 20,000 remote users with a solution that was simple, allowed us to co-manage because we like to maintain control, and with a dev ops approach within IT of whoever builds and runs it.” "Cato allowed us the flexibility to incorporate our WAN, Internet and remote access solutions into one neat package that could be managed with a small team of people.” So he turned to C3 Technology Advisors, to help narrow down the options. “It wasn’t very difficult from there to see that there was only one solution – Cato SASE Cloud. Cato allowed us the flexibility to incorporate our WAN, Internet and remote access solutions into one neat package that could be managed with a small team of people,” says Jacobson. Vitesco Technologies Sets Up New Sites in Minutes One of the first capabilities Cato provided Vitesco Technologies was a unified management interface that allowed setting up new sites with minimum effort. “What would have taken us days in the past to do with other solutions, we could now do in minutes. We no longer had to have a separate IDS/IPS, on-premises firewalls, or five different tools to report on each of those services. We could bring our cloud-based services directly into Cato’s backbone with our existing sites and treat them all the same.” Addressing Multiple Use Cases with Cato There were various critical use cases Jacobson needed to address, and Cato SASE Cloud proved to support them all. Supporting users and locations in China: One of the most critical topics Jacobson faced was the Great Wall of China. “We needed to get our Office 365 traffic out of China without breaking any laws. With Cato, we were able to steer our traffic in through a PoP in Tokyo and Office 365 works just as well in China as in any other location.” Supporting AWS connectivity at scale: An additional concern for Jacobson was AWS. “We have regional installations of cloud providers, and we needed to connect these sites into our network without complicated pairing or setup. It was also crucial for us to reach two gigs of throughput, and we were very happy with the results.” Supporting access to special applications: Jacobson needed to ensure that specific applications (such as HR, legal or engineering tools) were always up. “Like many global companies we had to secure traffic from various applications behind a single IP. With Cato’s dedicated IP support, we could steer specific websites and eliminate complicated routing or proxy settings.” Supporting threat prevention across all traffic: Finally threat prevention was needed everywhere. “With Cato SASE Cloud, threat prevention is built into our services so that even our smallest locations are protected from threats.” Gradual Deployment of Cato SASE Cloud One of the biggest advantages for Jacobson was the ability to roll out gradually at a pace that fit the company’s needs. “We knew we would need to start slowly and pick up speed during the middle and end of the migration as we worked out any issues with them.” “By the time we got to our tenth site, our window dropped to two hours, and we rarely needed more than one hour to cut a site over from the old service to the new, and the actual outage time was usually no more than 15 minutes.” With Cato, Jacobson found location migration to be quick and painless. After establishing the company’s datacenters and peering points, the process of migrating sites began. “By the time we got to our tenth site, our window dropped to two hours, and we rarely needed more than one hour to cut a site over from the old service to the new, and the actual outage time was usually no more than 15 minutes.” As for the migration process, Jacobson and his team didn’t have to cut any corners. They worked with their sites prior to the migration to set up Cato sockets in parallel to their existing WAN service. During the outage, they would switch from the old WAN equipment to the new equipment, test the applications, fail over Internet, and any other services that the site deemed critical. “Security was extended at each site on the WAN, no matter the size. And we know that our Internet traffic is properly secured. Extending our WAN to AWS and Azure was easy with the Cato’s virtual sockets and where virtual sock aren’t ideal, we usde IP SEC connections without having to buy or maintain additional firewalls or Internet lines.” Vitesco Technologies Gained: High Availability, Self-Maintenance, Deep Analytics, Policy Consistency Cato SASE Cloud enables very large enterprise to accelerate and transform their global network and security infrastructure. “This is why we moved from our internally managed SD-WAN, remote access service and cloud-based Internet provider to Cato’s SASE platform.” “This is why we moved from our internally managed SD-WAN, remote access service and cloud-based Internet provider to Cato’s SASE platform.” With Cato, Vitesco Technologies achieved high availability across the board, removing the need for a regional hub or expensive co-location facility for WAN or Internet services. Analytics and security events are centralized in one place to make analysis easier. “If we run into any questions, Cato is there to help us. It's easy to know what policies we have applied, and we know they’re consistent across our locations. Our security team is pleased to know that Cato maintains the platform and as we need to add capacity, it's a simple phone call or email to get it resolved.”

Lion Adopts Cato to Achieve Fast, Secure Connectivity for Global Locations and Remote Users Lion Seeks Network Transformation for Office and Remote Users Manufacturers face new challenges as network usage escalates and more employees work from home. How do they meet these challenges with minimum disruption, maximum performance, and airtight security? Lion Corporation, Japan’s top manufacturer of beauty care products--and one of its oldest--faced just such challenges. With 7,100 employees, 23 Japanese offices, and 11 global locations, Lion Corporation was looking at a future with an increasingly mobile remote workforce and more network usage in general. “It used to be just fine if we were all connected, but now it was becoming more important to be connected securely at all times.” “We saw that the work environment would change dramatically in the future and the use of the network would increase,” says Eiichi Kobasako, Lion Corporation’s Chief of Integrated Systems. “It used to be just fine if we were all connected, but now it was becoming more important to be connected securely at all times.” The Covid-19 pandemic accelerated remote work requirements dramatically as well. “It was clear many more people would be working remotely,” says Atzuyuki Shiina, Lion Corporation Information Security Specialist. “Obviously our old network would not support all these new remote users” Lion had been relying on VPN connections for both location and remote access connections. Security was provided separately by a combination of appliances and services. “Obviously our old network would not support all these new remote users,” says Shiina. Lion was looking to accommodate additional remote users securely and blend connectivity and security across the entire network. “We wanted to unify all the network components, such as security,” says Kobasako. They needed a solution that would accomplish those goals while providing good performance for all users. Perhaps most important for Kobayashi, however, was that the network transition would have to cause as little disruption as possible. “We’re in the manufacturing business with lots of offices, factories, laboratories, and heavy factory equipment. Drastic changes and big disruptions are not acceptable.” “We’re in the manufacturing business,” says Kobasako, “with lots of offices, factories, laboratories, and heavy factory equipment. Drastic changes and big disruptions are not acceptable.” Lion Chooses Cato SASE to Merge Networking and Security Kobasako had heard good things about Cato SASE and decided to give it a try with a proof of concept (POC) implementation. At the same time, the Covid-19 pandemic exploded, so Lion incorporated remote access into the POC as well. He was impressed with the Cato team. “We were worried at first because Cato was a new system and approach for us,” says Kobasako “but the Cato team cleared up all of our concerns.” Cato connects all global enterprise network resources — including branch locations, physical and cloud datacenters, and mobile and home users — into a single secure, global, cloud-native network service. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of robust security services to protect all traffic, including anti-malware, next generation firewall, and IPS. Connecting a location to Cato is just a matter of installing a simple preconfigured Cato Socket appliance, which links automatically to the nearest of Cato’s more than 65 globally dispersed points of presence (PoPs). At the local PoP, Cato provides an onramp to its global backbone and security services. The backbone is not only privately managed for zero packet loss and 5 9’s uptime, it also has built in WAN optimization to improve throughput dramatically. Cato monitors network traffic and selects the optimum path for each packet across the Cato backbone. With Cato, mobile and home users get the same network performance and security as their office counterparts. Cato: Smooth Transition, Easy Management “The transition was very smooth. We decided that Cato would be the center of our network, which is the main component of our IT strategy moving forward.” The results of Lion’s POC with Cato were impressive. “It was clear Cato was a very good solution for us and that its management portal would help us cut management costs,” says Kobasako. “The transition was very smooth. We decided that Cato would be the center of our network, which is the main component of our IT strategy moving forward.” In a matter of weeks, Lion deployed Cato to 29 of its locations and to 5,000 users who moved to working at home during the Covid-19 pandemic. It has taken full advantage of Cato’s next generation anti-malware, IPS, and MDR to secure all its users. With Cato SASE, office and remote and home workers connect to the same high-speed backbone. Mobile and home users benefit from the same network optimizations and security inspections as office workers. Aside from excellent performance and Cato’s airtight security, Lion is impressed with Cato’s management portal, which centralizes network and security monitoring and management in a single console. “We really like that Cato is in the cloud so we can manage everything on the network from one place,” says Kobayashi. “That is a huge advantage for us.” “This year, the entire WAN and Internet connectivity will be running on Cato.” “We have many more security controls with Cato’s SD-WAN than we had before,” adds Shiina. “This year, the entire WAN and Internet connectivity will be running on Cato.”

Bugaboo Transforms its Network with Cato, Boosting Cloud and Datacenter Application Performance The Challenge: Slash Network Complexity and Cost Global manufacturers need fast, secure WAN connections among datacenters, manufacturing plants, sales offices, and the cloud to provide a positive customer experience and compete successfully with fast-moving competitors. Many have relied on global MPLS networks, which are expensive--particularly in the Asia Pacific region--and not always reliable. And still others are relying increasingly on cloud applications, which are ill-suited for legacy networks based on MPLS. Such was the case with Bugaboo, a well-known innovative Dutch designer and manufacturer of baby strollers and parenting solutions. Bugaboo had a datacenter and main office in Amsterdam, a manufacturing plant in Xiamen China, and offices and retailers throughout the EU, North America, Australia, and Asia Pacific. When Rein Droog joined as Vice President, Global IT for Bugaboo in 2019, the company was suffering from WAN and infrastructure complexity. The network had emerged organically, requiring internal technology experts to keep humming. At the time, ERP and other applications were running in the Amsterdam datacenter, connected to global locations either via MPLS or, in the case of the smallest locations, Internet VPNs. “We had somewhere between 10 or 20 different contracts with local providers,” says Droog. “In Asia the MPLS is much more expensive than in Europe. What’s more, IT staff had to fly all over the world to bring up even small, 10-person offices." Not only was the WAN infrastructure complex, it was also expensive. “In Asia the MPLS is much more expensive than in Europe,” says Droog. What’s more, IT staff had to fly all over the world to bring up even small, 10-person offices, he says. Security was also varied and highly distributed among locations. “There had been little to no centralized monitoring or management, which complicated policy configuration and enforcement,” he says. “With all of that expensive MPLS, our China locations still had performance, latency, and downtime issues when connecting to applications in the Amsterdam datacenter. The whole setup was just not economical, and with all the expertise in a few IT staff, not sustainable.” With all this complexity and expense, WAN performance and stability were constant issues. “One month Japan was down, the next month Australia,” says Droog. “With all of that expensive MPLS, our China locations still had performance, latency, and downtime issues when connecting to applications in the Amsterdam datacenter. The whole setup was just not economical, and with all the expertise in a few IT staff, not sustainable.” Bugaboo also sought to kickstart a major digital transformation, which included a “Cloud Unless” policy that mandated moving applications to the cloud whenever it made business sense. MPLS was clearly not the strategic solution. With IPknowledge, Bugaboo Embarks on Total Network Transformation Droog started soliciting feedback from leadership, users, and IT to start building a digital transformation strategy. “All kinds of unfiltered feedback was collected, from the good to the bad,” says Droog. “From Virtual meetings not going smoothly, to latency issues or bad application performance. Some things were working, however, so my task was to find the root cause of the issues we were having and fix it.” Droog drafted a technology transformation roadmap with three major objectives: Fix the foundation, which included hosting and networking, site infrastructure, user and meeting services and security. Improve the application layer by rationalization and simplification. Improve the data reporting and advanced analytics capability by focusing on ownership, quality and tooling. “We looked at the network and site infrastructure as one of the first,” says Droog. To fix the foundation, Droog turned to longtime IT partner IPknowledge, a Dutch provider of Internet access and cloud-native connectivity and security to enterprises like Bugaboo. IPknowledge had already been working with Bugaboo to enhance the existing WAN infrastructure with WAN optimization solutions. In this case, Droog wanted IPknowledge to help him transform the network. “I wanted one reliable partner, not 20 different contracts, and I didn’t want our folks having to deal with 24 X 7 monitoring. The solution had to be simple and sustainable, and it had to just work.” “We had a lot of discussions on how to set up a flexible network that could deal with the number of users we had in our office locations,” says Droog. “I wanted one reliable partner, not 20 different contracts, and I didn’t want our folks having to deal with 24 X 7 monitoring. The solution had to be simple and sustainable, and it had to just work.” Droog wanted to be able to open--and close--offices quickly and easily if necessary, a key requirement of rapid company transformation. “We were changing quickly, and it was difficult to know what was coming in the next three months.” Cato connects all global enterprise network resources — including branch locations, mobile users, and physical and cloud datacenters — into a single secure, global, cloud-native network service. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of robust security services to protect all traffic, including anti-malware, next-generation firewall, content filtering, and IPS. Connecting a location to Cato is just a matter of installing a simple preconfigured Cato Socket appliance, which links automatically to the nearest of Cato’s more than 65 globally dispersed PoPs. At the local PoP, Cato provides an onramp to its global backbone and security services. The backbone is not only privately managed for zero packet loss and 5 9’s uptime, it also has built-in WAN optimization to dramatically improve throughput. Cato monitors network traffic and selects the optimum path for each packet across the Cato backbone. Mobile and home users run across the same backbone, benefiting from the same optimization features and improving remote access performance. Droog tested several solutions, including Cato. Bugaboo had just switched to Office 365 and Cato worked the best with the service, particularly in China. “Our overall internal network performance also improved with Cato and the performance of our Amsterdam-based applications in China improved significantly.” Network Complexity to Simplicity with Cato and IPknowledge “Cato really is plug and play. It was clear that Cato’s flexibility actually made switching to Cato less risky than staying with the solution we already had.” Setting up the tests was remarkably easy. “That’s one of the things that drew me to the Cato solution,” says Droog. “Cato really is plug and play. It was clear that Cato’s flexibility actually made switching to Cato less risky than staying with the solution we already had.” Rolling out Cato to the other locations over a month was also quick and painless. “There was zero downtime during the rollout,” says Droog. “We just shipped the Cato Socket to each office and walked whoever was there, even a salesperson, through how to plug it in.” No IT travel required. When Covid-19 hit, Bugaboo sent everyone home to use its existing remote access solution but switched gradually to Cato between November 2020 and January 2021. Once remote access moved to Cato, performance for all those work-from-home users improved in Asia and North America as well. “We heard a lot of home users say, ‘Hey, this runs much faster!” says Droog. “With Cato the performance with the cloud was faster than connecting to the cloud directly,” And finally, cloud applications also ran faster under Cato. “With Cato the performance with the cloud was faster than connecting to the cloud directly,” says Droog.   As for security and management, Bugaboo has its own security monitoring tools and policies, but Cato provides the firewall, antimalware, and IPS capabilities in the cloud. IPknowledge also has its own management and monitoring tools to manage the Bugaboo Cato deployment but hooks into Cato’s management system using the Cato API. “Cato’s management portal takes care of a lot of mundane tasks that we had to handle ourselves before,” says Steven de Graaf, managing director of IPknowledge. “With Cato we can be proactive and spend time on architectural improvements instead of configuring and fixing firewall rules. Cato lets us compete with the big telcos and provide a better solution, which is why it has become our principal strategic partner.” “Monitoring and maintenance have improved a lot with Cato and IPknowledge,” says Droog. “And where there were hiccups every month with our previous infrastructure, Cato has been absolutely stable, fast, and available.”

Diamond Braces Uses Cato to Boost WAN Security, Performance, and Reliability The Challenge: Easy Deployment and Management; Fast, Reliable Connectivity Doctors’ and dentists’ offices have stringent security requirements, thanks to HIPAA and other regulations for protecting patient data. They work with large X-ray image files and many have been moving medical management applications to the cloud. For dentist office chains, such as Diamond Braces, fast, secure, reliable communications among locations and the cloud are an absolute requirement. The Diamond Braces network spans 32 orthodontist locations in New York State, New Jersey, and Connecticut, with headquarters in New York City. Before Cato, most Diamond Braces locations were connected via Internet VPNs, with fiber running only from its main office and call center. Each location ran a separate firewall gateway/VPN appliance, which led to increasing complexity as the number of locations grew. “It was all getting too difficult to manage and it was taking too much time to ensure it worked properly,” says Alexander Azikov, IT Manager at Diamond Braces. “We had people accessing malicious sites, often unintentionally via a typo or spam mail,” says Azikov. “We needed the capability to warn them or block those sites. I was also looking to add IPS capabilities and I needed an integrated solution that could do it all with a single-pane-of-glass.” For all their complexity, however, the firm’s firewalls couldn’t filter HTTPS traffic, so Diamond Braces was left without any content filtering capability, unless it added it separately, which would only increase complexity and cost. “We had people accessing malicious sites, often unintentionally via a typo or spam mail,” says Azikov. “We needed the capability to warn them or block those sites. I was also looking to add IPS capabilities and I needed an integrated solution that could do it all with a single-pane-of-glass.” Applications such as Office 365 and the firm’s patient management solution were mostly in the cloud, so fast, reliable cloud and office connectivity were vital. Large X-rays averaged 7MB each and the company made extensive use of cloud-based VoIP and videoconferencing, so hefty bandwidth and quality of service were also WAN requirements, as was backup connectivity in the event of service disruptions. With Diamond Braces adding an average of 10 locations a year, quick deployment and easy, centralized management were also key capabilities that IT was not getting from its VPN’s, fiber, and branch-based firewall appliances. “We really needed a scalable solution with unified security and management,” says Azikov. Diamond Braces Taps Cato for Simplicity and Security Azikov had heard how SASE merges WAN and security in a single cloud-native solution and was pretty sure it was what he was looking for. He considered several vendors, but the only one that filled all the SASE requirements was Cato. “One vendor had an excellent infrastructure, but very limited security, so we would have had to go to another vendor for content filtering, just like with our current solution,” says Azikov. “Another vendor relied to a large extent on its endpoint security appliances, so it wouldn’t relieve the complexity of our current appliance-based architecture.” Only Cato offered a completely integrated cloud-native SASE solution with a single management interface for WAN and security. It also had all of the required security functions--firewall, IPS, and content filtering. The only appliance to install was the Cato Socket, which was a cinch to configure and required no real management. Cato connects all global enterprise network resources — including branch locations, mobile users, and physical and cloud datacenters — into a single secure, global, cloud-native network service. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of robust security services to protect all traffic, including anti-malware, next generation firewall, content filtering, and IPS. “We had a proof-of-concept stage, during which I was able to set up an office myself,” says Azikov. “I just had to ask some questions about the best way to do certain things. After the first, I could set up locations without even thinking about it.” Connecting a location to Cato is just a matter of installing a simple preconfigured Cato Socket appliance, which links automatically to the nearest of Cato’s more than 65 globally dispersed PoPs. At the local PoP, Cato provides an onramp to its global backbone and security services. The backbone is not only privately managed for zero packet loss and 5 9’s uptime, it also has built in WAN optimization to dramatically improve throughput. Cato monitors network traffic and selects the optimum path for each packet across the Cato backbone. Mobile users run across the same backbone, benefiting from the same optimization features and improving remote access performance. “Once we had it all connected on a single Cato network, everything was so easy and reliable,” says Azikov. “We can get by on 25 Mbits/s, but 50 made working very comfortable, and Cato’s QOS made for very smooth video. For the central office, Azikov went for 75 Mbits/s. Installing the Cato solution was incredibly fast and easy. “We had a proof-of-concept stage, during which I was able to set up an office myself,” says Azikov. “I just had to ask some questions about the best way to do certain things. After the first, I could set up locations without even thinking about it.” It didn’t take long to set up all 33 locations with 50 Mbits/s Cato connectivity. “Once we had it all connected on a single Cato network, everything was so easy and reliable,” says Azikov. “We can get by on 25 Mbits/s, but 50 made working very comfortable, and Cato’s QOS made for very smooth video. For the central office, Azikov went for 75 Mbits/s. Cato Brings Security, Reliability, and Easy Management Azikov loves the simplicity and reliability of the Cato solution. “Cato’s centralized management saves tons of time,” says Azikov. “We troubleshoot issues so much faster. When you have everything in one place you can just switch back and forth and analyze different pieces of the puzzle. IT really ticks all the boxes for us.” “We troubleshoot issues so much faster. When you have everything in one place you can just switch back and forth and analyze different pieces of the puzzle. IT really ticks all the boxes for us.” With the original firewall solution, Azikov had to copy and paste text-based configuration information from one site appliance to another. Sometimes there were IP address mistakes, which led to hours of troubleshooting. “We don’t have to deal with all those IP issues. And when there’s a provider issue, I can see it on the Cato interface immediately before employees call me and tell them we’re using a backup connection and I’m already working with the provider to get things up again.” “With Cato it’s all just plug and play,” says Azikov. “We don’t have to deal with all those IP issues. And when there’s a provider issue, I can see it on the Cato interface immediately before employees call me and tell them we’re using a backup connection and I’m already working with the provider to get things up again.” With easy management, Azikov has more time to research new financial and project management tools to improve the business. “I love the analytics Cato provides to help me troubleshoot issues and tweak the system for optimal performance,” says Azikov. “Otherwise, I really wouldn’t know what to change to make things better. This helps especially with QoS on the slower broadband and LTE backup connections.” Azikov’s favorite Cato feature is Event Discovery. “I love the analytics Cato provides to help me troubleshoot issues and tweak the system for optimal performance,” says Azikov. “Otherwise, I really wouldn’t know what to change to make things better. This helps especially with QoS on the slower broadband and LTE backup connections.” [caption id="attachment_17974" align="aligncenter" width="1920"] With Cato’s Event Discovery capability, Diamond Braces can harness detailed analytics to troubleshoot network issues and tweak the network for optimal performance.[/caption] In all, Cato has made business much smoother for Diamond Braces and management of WAN and security much easier for Azikov. Perhaps the best thing: “We have a lot fewer complaints from end users,” says Azikov.

Haulotte Halves Network Costs and Boosts Application Performance By Migrating from MPLS to Cato The Challenge: Network Reliability at a Lower Cost than MPLS Global manufacturers face significant challenges in an age of digital transformation. Many have relied on MPLS to connect manufacturing plants, corporate and sales offices, and the datacenter. As mobile/home users and cloud applications have grown in importance, however, MPLS has shown itself to be both too expensive and not agile enough to remain a viable WAN solution. Such was the case with Haulotte, a global manufacturer of materials and people lifting equipment used in construction, warehouses, farms, managed forests, and similar sites. With six manufacturing plants and more than 30 offices across Western Europe, North America, South America, Africa, and Asia Pacific, Haulotte had faced three years of delays and cost overruns rolling out MPLS to all its locations. At the end of those three years MPLS accounted for a whopping 10 percent of the entire IT budget. Service was usually adequate but there were definite issues. “There were outages, complaints, and negative feedback from several internal teams about the service from our major international MPLS provider.” “During my first few months at Haulotte, the network was a daily headache,” says Thomas Chejfec, who joined Haulotte as Group CIO in 2019. “There were outages, complaints, and negative feedback from several internal teams about the service from our major international MPLS provider.” Haulotte was also migrating to Office 365 and MPLS was not a great fit for the cloud. Haulotte Considers Alternate MPLS and SD-WAN solutions, Chooses Cato With several MPLS contracts reaching end of life, Chejfec decided to look at both MPLS and SD-WAN alternatives. “It was clear that switching MPLS providers could save us 20% in budgetary costs but migrating to SD-WAN could save as much as 50%,” says Chejfec. Chejfec’s IT team investigated several SD-WAN providers, including traditional hardware vendors and more specialized service providers. In the end Cato was the clear winner. “It was clear that switching MPLS providers could save us 20% in budgetary costs but migrating to SD-WAN could save as much as 50%” “I went to Tel Aviv to meet with the Cato team, see how they work, and investigate the solution’s coverage,” says Chejfec. “I liked the company’s ‘Unicorn’ spirit, with its young, highly responsive employees at the forefront and Cato’s ultra-simple management software solution.” Cato connects all global enterprise network resources — including branch locations, physical and cloud datacenters, and mobile and home users — into a single secure, global, cloud-native network service. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of robust security services to protect all traffic, including anti-malware, next generation firewall, and IPS. Connecting a location to Cato is just a matter of installing a simple preconfigured Cato Socket appliance, which links automatically to the nearest of Cato’s more than 65 globally dispersed points of presence (PoPs). At the local PoP, Cato provides an onramp to its global backbone and security services. The backbone is not only privately managed for zero packet loss and 5 9’s uptime, it also has built in WAN optimization to improve throughput dramatically. Cato monitors network traffic and selects the optimum path for each packet across the Cato backbone. “Cato’s management interface was so easy to use compared to those of the traditional SD-WAN players we looked at” Chejfec felt that Cato’s approach to networking and security was the most user centric of the solutions he considered. “Cato’s management interface was so easy to use compared to those of the traditional SD-WAN players we looked at,” says Chejfec. “That really made a difference for us. It allowed our small team of three, with two based in our Romanian datacenter, to view network traffic across all our sites in real time. We can even see which sites use YouTube and other apps the most and how many gigabytes are transferred.” “Cato let us take advantage of good access at half the price of MPLS.” Chejfec also liked that Cato had its own converged backbone with a high density of global Points of Presence. “And we loved the price, of course!” says Chejfec. “Cato let us take advantage of good access at half the price of MPLS.” He was also impressed with Cato’s security services, including the ability to shut down the entire network with a single phone call to prevent the spread of ransomware and other attacks. Fast Deployment, Fast Performance, Low Cost Chejfec started rolling out the Cato SD-WAN solution to individual sites, leaving deployment of Cato’s security services for the future. When Covid-19 hit, Cato came in very handy for mobile/home user access as well. “For the first lockdown we kept our previous VPN, but we didn’t have enough licenses for all our new home users and activating new licenses would add significant costs and long implementation times,” says Chejfec. “We decided to try the Cato VPN and were able to deploy it to 300 home-based staff in less than a day!” Deploying Cato to its sales offices was also simple. “We just dispatch the Cato Socket with a page of instructions to each location,” says Chejfec. “Our local contact installs it at the site and then we take over remotely to finish the job. It’s truly plug-and-play.” As for the manufacturing plants, IT sent the staff an email notifying them that the network would be unavailable between 7 pm and 10 pm in order to change providers. “At 10 pm the network was up and running and employees could resume work the next morning with no disruption.” “Usually a network migration project is a hot topic of conversation and affects everyone at every level but migrating to Cato was truly seamless.” The migration was delayed by the slow termination of MPLS contracts, but it has been a relatively trouble-free experience. “In my 10 years of experience in IT, this is the only major project that turned out to be a minor project,” says Chejfec. “Usually a network migration project is a hot topic of conversation and affects everyone at every level but migrating to Cato was truly seamless.” Not only was the switchover seamless, but there were notable performance and quality of service improvements with Cato compared to its previous MPLS solution. “We had just migrated to Office 365 and the quality and performance of Microsoft Teams was a definite improvement,” says Chejfec. “I believe this had a lot to do with the switch to Cato. For the network team, the management interface is a godsend,” Chejfec adds, “as Cato anticipates Internet link problems, they can intervene quickly before they affect users.” The next phase in Haulotte’s Cato migration will be to start deploying Cato’s security services globally and the entire Cato solution to a new factory currently being constructed in China, where Cato has several PoPs. Perhaps the best thing about the transition to Cato. “The network is no longer a topic of discussion with users,” says Chejfec. “We never hear about it anymore.”

The Flügger Group Gains Network Flexibility and Security with Cato and Secher Security The Challenge: Simplicity and Flexibility In an era of digital transformation, manufacturers need fast, secure WAN connections with datacenter applications, retailers, suppliers, partners, and the cloud. Retailers in turn need fast connectivity with manufacturers and their own datacenter and cloud applications. As both a Danish paint and related products manufacturer and retailer, the Flügger Group needed all of those things. With five manufacturing plants and more than 200 of its own retail locations and 200 franchise stores in Scandinavia, Eastern Europe and China, the Flügger Group was in the midst of a major expansion and digital transformation. Prior to Cato, Flügger relied on MPLS WAN connections and multiple security point solutions to provide secure WAN connectivity. “Our MPLS solution was secure, but it was a very closed, inflexible environment that we couldn’t make changes to without a lot of time and effort” “Our MPLS solution was secure, but it was a very closed, inflexible environment that we couldn’t make changes to without a lot of time and effort,” says Jan Jørgensen, IT Project Leader. “We had to do a lot of workarounds.” Flügger was opening, closing, and moving a lot of stores and it took much too long to get them up and running with MPLS. “It got quite difficult to meet our deadlines,” says Rune Skovsgaard, Head of IT. "We needed an environment that was both more open than MPLS and as secure, and, of course, financially attractive.” Flügger was also modernizing its manufacturing plants. “We were inviting more suppliers and partners directly into our network, including those who would help support and maintain plant IT,” says Skovsgaard. “They had to get into a very closed network to do their work. We needed an environment that was both more open than MPLS and as secure, and, of course, financially attractive.” With all its point solutions, security was also inflexible and time-consuming. “We couldn’t work with our firewalls, honestly,” says Jørgensen. “If we had to make any changes or give an external provider access, it was impossible. It took a lot of work and time even to just open and close the firewall for a specific partner. Sometimes we just left it open.” Flügger Turns to IT Consultant, Adopts Cato Looking to simplify networking and security and make it all easy to manage, Flügger turned to Secher Security, a Danish IT security consultant firm, for help. “They had all sorts of different vendor solutions and partners involved in a lot of different IT projects,” says Kristian Secher, Secher Security CEO. “They were losing money on all those different consultancy services. Immediately we saw that we could simplify their environment with the Cato solution. The Flügger Group took to the Cato solution almost right away. “Things moved quickly and easily because the Flügger team was very interested in the solution and eager to help get the job done and make it a success,” says Secher. Cato connects all global enterprise network resources — including branch locations, physical and cloud datacenters, and mobile users — into a single secure, global, cloud-native network service. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of robust security services to protect all traffic, including anti-malware, next-generation firewall, and IPS. Connecting a location to Cato is just a matter of installing a simple preconfigured Cato Socket appliance, which links automatically to the nearest of Cato’s more than 70 globally dispersed points of presence (PoPs). At the local PoP, Cato provides an onramp to its global backbone and security services. The backbone is not only privately managed for zero packet loss and 5 9’s uptime, it also has built in WAN optimization to dramatically improve throughput. Cato monitors network traffic and selects the optimum path for each packet across the Cato backbone. Flexible Network, Flexible Partner Aside from being impressed with the Cato solution, Skovsgaard found his Cato partners very flexible and easy to work with. “When we select a new supplier we look both at the technical solutions and whether it will be a good working environment,” says Skovsgaard. “With Cato we have a very flexible supplier that understands our requirements and is there when we need help.” “With Cato we have a very flexible supplier that understands our requirements and is there when we need help.” Many of Flügger’s stores are very small and Skovsgaard appreciated that Cato was willing to accommodate such small network environments. “Cato understood our business and adjusted its own business model and contracts so they would work for us,” says Skovsgaard. “Cato give us both the security and flexibility we need,” says Jørgensen. “We can bring new partners into the network easily and securely.” After 12 months with all Flügger stores now up and running on Cato, the Cato solution has paid for itself compared to MPLS, and is now saving the company money. But there are more important benefits, according to Flügger. “Cato give us both the security and flexibility we need,” says Jørgensen. “We can bring new partners into the network easily and securely.” “It’s also quick and easy to move, open, and close stores compared to how it was with our previous MPLS network, even when they’re in other countries” “It’s also quick and easy to move, open, and close stores compared to how it was with our previous MPLS network, even when they’re in other countries,” says Skovsgaard. “And we have a single reliable supplier for network security instead of having to deal with a lot of different security vendors.” Jørgensen likes that Cato is an Internet solution. “With MPLS you’re bound to a certain Internet provider,” says Jørgensen. “Since Cato uses the Internet, it’s less expensive to maintain and we can shop around for a provider, which saves money.” Jørgensen also likes Cato’s easy management. “We have much more control of the network and can monitor and make changes remotely,” says Jørgensen. “Before Cato, if a retail store dropped a connection, there wasn’t much we could do. With Cato we can see that the line is working fine and find exactly where the errors are in the system. We can make quick security changes remotely and easily to adapt to new threats. Jørgensen recommends the Cato solution to others. “It’s been a great experience, a business critical infrastructure asset that’s stable with a great team that I can trust. And we have a solution we can grow with our business.”

TES Goes Lean Consolidating Global WAN and Security The Challenge: A Single Network and Security Model   IT service providers need fast, secure connections between locations and customers to deliver digital services and keep the business running smoothly. Such was the case with TES, a Singapore-based IT lifecycle solutions provider specializing in IT equipment deployment, recycling, and disposal with data and brand protection. With nearly 40 sites in 20 countries and thousands of security conscious customers, TES’s security and communications challenges were great. “Once we got to a certain size, we realized we had to implement higher levels of control, security, and protection than we had had when we were smaller,” says Stuart Hebron, Group Chief Information Officer for TES. “Our customers are constantly checking our security model to ensure it’s aligned with their model and compliance requirements.” “We needed to become well connected, resilient, and able to function as a single global business, rather than a group of individual small businesses around the world.” Adding to TES’s challenges were a number of mergers and acquisitions that brought in new networks, people, systems and software. “With our lean IT workforce, we sought a quick and easy way to integrate those sites under a consistent security and operational model,” says Hebron. “We needed to become well connected, resilient, and able to function as a single global business, rather than a group of individual small businesses around the world.” TES Investigates SASE Solutions, Chooses Cato The company looked at several solutions for WAN and security, but Cato was the one that fulfilled all its requirements. “Cato provided us an option to address many things, including security, connectivity, and network resilience, without having to invest significantly in other expensive technologies,” says Hebron. “All the things that were important to us were there.” “Cato provided us an option to address many things, including security, connectivity, and network resilience, without having to invest significantly in other expensive technologies” Cato was also the best deal overall. “Everyone says when it comes to good, quick, and cost efficient, you can only have two, but Cato gave us all three.” Cato connects all global enterprise network resources — including branch locations, mobile users, and physical and cloud datacenters — into a single secure, global, cloud-native network service. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of robust security services to protect all traffic, including anti-malware, next generation firewall, and IPS. “Everyone says when it comes to good, quick, and cost efficient, you can only have two, but Cato gave us all three.” Connecting a location to Cato is just a matter of installing a simple preconfigured Cato Socket appliance, which links automatically to the nearest of Cato’s more than 55 globally dispersed points of presence (PoPs). At the local PoP, Cato provides an onramp to its global backbone and security services. The backbone is not only privately managed for zero packet loss and 5 9’s uptime, it also has built in WAN optimization to dramatically improve throughput. Cato monitors network traffic and selects the optimum path for each packet across the Cato backbone. Mobile users run across the same backbone, benefiting from the same optimization features and improving remote access performance. “With Cato, we could bring those new acquisitions in quickly without having to do deep dives into their security and network architectures.” “We liked that we could use standard, conventional Internet access points at all of our sites, which saved a lot of money for us,” says Hebron. “With Cato, we could bring those new acquisitions in quickly without having to do deep dives into their security and network architectures.” Deploying Cato to each of TES’s locations was easy as well. “Cato allowed us to roll out quickly but gradually,” says Hebron. “As COVID hit last year, we found we could literally ship a Cato socket to each location without anyone having to travel to the site, which made things much safer. Through the joys of mobile phone technology and cameras, we could then walk non-IT skilled employees through plugging the sockets into the network and then access and configure them from afar. The speed at which Cato delivered those devices and the ability to deploy them without an on-site specialist made such a huge difference, reinforcing security at a pace that exceeded our initial goals,” says Hebron. Initially Hebron wasn’t even sure TES could achieve its goals quickly with the lean team he had. TES Goes Lean and Mean with Cato Once it was deployed, Cato also made things easier with its single centralized management console for both networking and security. “We needed a solution that would let us monitor and manage our entire network with a small group of specialists,” says Hebron. “Cato delivered that.” Combined network and network security management has also delivered the consistency the company needed across locations as a single global firm. “We have much better capabilities across our environment,” says Hebron, “while at the same we can address regional security concerns. Cato lets us make rapid changes to our overall security model. It also gives us online reporting, visibility across the network at any time at a single glance, and actionable value out of what we see on screen. Instead of just responding all the time we can see things coming.” Support has been excellent as well, according to Hebron. “We’ve had nothing but good experiences. Cato has even helped us with other internal challenges outside of their environment.” Cato has allowed TES to keep its IT workforce lean. “We haven’t had to add any people since we deployed Cato,” says Hebron, “and we’re actually considering ways to do more with the people we have.” “We find that Cato helps us have better conversations with our clients,” says Hebron, “as it’s clear to them that we can achieve all their compliance goals. Audit processes are faster when they look at our internal security around data, brand, and IP protection.” Customer acquisition and retention have gotten easier. “We find that Cato helps us have better conversations with our clients,” says Hebron, “as it’s clear to them that we can achieve all their compliance goals. Audit processes are faster when they look at our internal security around data, brand, and IP protection.” Perhaps the best thing about deploying Cato: “Since deploying Cato in the past six months, I can tell you I sleep much better at night,” says Hebron. “The gray has started to slow,” he laughs, “and I feel as if I’m in a much better position with my role in the organization, which is to protect our customers and the business. It gives me more confidence when I’m with customers that we can actually do what we say.”

Hoyer Motors Taps Cato to Connect China Offices and Cato MDR for Better Malware Protection The Challenge: Keep Firewalls Current Without Sacrificing Control It's no secret that manufacturers everywhere need to protect themselves against malware. But as attacks come faster and attackers become more sophisticated, how do enterprises secure themselves without compromising their budget or relinquishing control? Hoyer Motors faced that same challenge. The near half-century-old Danish manufacturer of electric motors had relied on Internet-based VPN and branch firewall appliances to connect its locations across Europe, Korea, and China. The China office also had an MPLS connection. A third-party managed the company's branch firewall appliances. "It's really, really crucial that a firewall update be applied immediately. Otherwise, you risk being breached. But it could take our management provider 14 days to update our firewalls." And it was in those branch firewalls that the company faced so many challenges. "It's really, really crucial that a firewall update be applied immediately. Otherwise, you risk being breached," says Kenneth Middelboe Carlson, IT Senior Administrator at Hoyer. "But it could take our management provider 14 days to update our firewalls." "By using smaller hardware-based firewall appliance solutions, which were outsourced to another company, Hoyer had no control, no visibility, and no clue the firewalls were working or not working," explains Kristian Secher-Johnsen, CEO at Secher Security, a premium Cato partner and security advisor to Hoyer. Hoyer was also facing service interruptions at many offices. "The offices had difficulties in connecting," says Carlson. And then there was cloud migration. Since Hoyer had first deployed its global network, the cloud services had matured. As a result, Hoyer wanted to migrate to the cloud and wanted an infrastructure that would reflect that change. Hoyer Embarks on Its WAN Transformation Journey Hoyer began looking for another global networking solution. "In general, the core functions we were looking for were some cloud possibilities so that we could get the same benefits in Denmark, Europe, and China," says Carlson. "We wanted something that could be updated and managed easily, something that IT could do themselves." Hoyer was also looking for something easier to manage. "We wanted something that could be updated and managed easily, something that IT could do themselves. We like to do most of the things ourselves instead of paying consultant fees to other companies." And the company wanted SD-WAN to provide last-mile redundancy and high availability by leveraging multiple Internet connections. "In case someone digs up the fiber and cuts it in half, you can still use 4G. It's essential that you do not have a single point of failure because if your infrastructure fails, then our customers, our colleagues, can't do the work, and we lose money," he says. Hoyer Selects Secher Security with the Cato Global SASE Platform Hoyer began looking at various solutions when the team was contacted by Secher Security offering the Cato solution. "I believe we had our little sheet with five key notes and the Cato solution that Secher presented to us was actually down on all of them," says Carlson. "We have WAN optimization. We have SD-WAN. It's a SaaS solution, but it's global everywhere." Carlson was excited by the Secher-Cato proposal but skeptical. "Sometimes you know when a salesperson contacts you, it's like, of course, it can be better. But is it better?" asks Carlson. "4G connections in the outer areas of China where you normally cannot connect to anything just worked with Cato. It was really, really impressive to see." So, Hoyer requested a testing phase. First, they deployed Cato Sockets, Cato's edge SD-WAN devices, in their server room and equipped five users with the Cato Mobile Client. "The improvement, especially in China, was incredible. I have never seen anything like it," says Carlson. "4G connections in the outer areas of China where you normally cannot connect to anything just worked with Cato. It was really, really impressive to see." When Hoyer saw results like those, the outcome was clear. "We knew we needed to agree on a price and terms. But, compared to the MPLS that we already had, which is a pretty hefty price, it didn't really take much to do the change." Hoyer Taps Cato MDR for Improved Security Hoyer eventually equipped remaining mobile users with the Cato Mobile Client and locations with Cato Sockets. Branch firewalls were replaced with Cato's security-as-a-service, which Hoyer can fully manage. Additional insight was provided by Cato Managed Threat Detection and Response (MDR). With Cato, site and mobile users automatically send all traffic to the nearest Cato PoP. With each PoP, Cato's converged networking and security, cloud-native software stack inspects the traffic, applies the necessary security and networking policies before sending the traffic onto to Internet, or optimizing it and sending it across the Cato global private backbone. "Our connection is better than what we have ever had, especially in China. We have people in factories in northern China that have never been able to work on remote desktop to connect to our system, and now with Cato, they can do that, and that is really, really big." "Generally, we have had everything that Secher Security promised," Carlson says. "Our connection is better than what we have ever had, especially in China. We have people in factories in northern China that have never been able to work on remote desktop to connect to our system, and now with Cato, they can do that, and that is really, really big." With Cato, gone are his concerns around timely patching of firewalls. Instead, the Cato team keeps the Cato security stack, which includes a next-generation firewall (NGFW), Intrusion Prevention System (IPS), and Secure Web Gateway (SWG), always current. And by constantly hunting the network for the symptoms indicative of malware and network attacks, Cato MDR often identities threats missed by legacy, anti-malware systems. "Guest computers were brought into our office and connected to the Guest Internet, which is not connected to the company domain. Cato MDR notified us that they were infected with anti-malware even though they were running Windows 10 with active antivirus." "We were pleasantly surprised with Cato MDR," he says, "Guest computers were brought into our office and connected to the Guest Internet, which is not connected to the company domain. Cato MDR notified us that they were infected with anti-malware even though they were running Windows 10 with active antivirus." Cato MDR also flagged unknown devices on the network. In short, "MDR has changed how we look at security," says Carlson. "Right now, we're optimizing security, antivirus, pattern control, and everything more thoroughly than we have ever done before, basically because of MDR. Cato MDR has been more impactful than I ever thought imaginable." Cato: Restoring Control to IT   Hoyer might have gone out looking for a more consistent, more secure network, but in the end, Hoyer gained far more than just better technology. "I believe the biggest thing by moving to Cato compared to what we had before is that I feel that we are in control," says Carlson. "Yes, we've seen increased productivity. It's easier for people to connect globally because of Cato. But for IT, it's all about the management. The more you can manage yourself, the better."

Komax Drives Innovation, Cloud Connectivity, and Mobile Collaboration with Cato The Challenge: Agile Cloud and Mobile Connections Innovative companies need innovative IT solutions to help them collaborate and bring new products to market fast. These include fast, agile connectivity to cloud services and a collaborative mobile workforce. Rigid legacy WAN solutions such as MPLS cannot offer the network flexibility and speed that are vital to innovative success. Komax, a world market leader and innovator in wire processing solutions¬—everything from wire strippers to complex harnesses for automobile electronic wiring systems—knew this all too well. “We are the market and innovation leader in our industry,” says Tobias Rölz, Executive Vice President, Market and Digital Services for Komax. When Komax started a major digital transformation three years ago, Rölz knew the company would have to transform IT. “We analyzed our systems and data and started moving into the cloud, introducing Office 365 for collaboration, Salesforce for CRM, and cloud-based SAP for ERP.” Komax had transitioned from MPLS to SD-WAN six years before that. Unfortunately, the appliance-based SD-WAN solution it deployed as an alternative proved too complex and rigid. “The SD-WAN appliances we had at 35 of our sites were a nightmare,” says Daniel Sollberger, Komax’s Lead, Global based IT Infrastructure, “including the first and second level support from the provider. We felt we needed to get away from all that complex hardware and move towards SASE (Secure Access Service Edge).” “Strategic fit was important,” says Rölz. “We wanted a solution from a company thinking one or two steps ahead of the others that would reduce the operational costs of our network. IT value should come from offering services that improve the quality and productivity of our company, not operating a server or network appliance.” Komax Investigates SASE, Chooses Cato Komax had heard about Cato through Gartner. “Cato Networks was one of the first vendors identified in Gartner’s SASE research,” says Sullberger. The team looked into Cato and liked what they found. “We were impressed by Cato’s thinking. They were really thinking one or two steps ahead of others,” says Rölz, “Cato was moving the network and security into the cloud, which completely fits our vision for more or less a serverless office in a few years from now.” Cato connects all global enterprise network resources — including branch locations, mobile users, and physical and cloud datacenters — into a single secure, global, cloud-native network service. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of robust security services to protect all traffic, including anti-malware, next generation firewall, and IPS. Connecting a location to Cato is just a matter of installing a simple preconfigured Cato Socket appliance, which links automatically to the nearest of Cato’s more than 60 globally dispersed points of presence (PoPs). At the local PoP, Cato provides an onramp to its global backbone and security services. The backbone is not only privately managed for zero packet loss and 5 9’s uptime, it also has built in WAN optimization to dramatically improve throughput. Cato monitors network traffic and selects the optimum path for each packet across the Cato backbone. Mobile users run across the same backbone, benefiting from the same optimization features and improving remote access performance. Rölz and Sollberger found moving away from installing and managing SD-WAN appliances very appealing. “We liked that all the interconnected PoPs in the Cato cloud meant we could stop depending on our local on-premises SD-WAN equipment,” says Sollberger. COVID-19 hit just as Komax started rolling out Cato to its 35 locations. “Cato reacted very quickly,” says Rölz. “With Cato, we could move people out from our offices to their home offices fast without a single interruption, ensuring the same security level, performance—the same feel—working from home as at the office,” says Rölz. “That rollout demonstrated the agility and flexibility Cato and its cloud connectivity and security would give us.” Komax also rolled out Cato to the 35 locations that formerly held all that complex SD-WAN equipment. “Even in locations where we had no IT at all, the general manager was able to install the Cato socket quickly and have the network up and running in minutes,” says Rölz. “Cato’s first and second level support is great at helping internal customers directly,” adds Sollberger. Agility, Performance, Security, Cost The result was reduced operational costs and improved agility, flexibility, performance, and security. “When you move into the cloud you need to be agile and flexible,” says Rölz. “Moving security and intelligence to the cloud gave us that agility and helped us reduce our operational costs significantly. Operations are handled by the Cato very smoothly.” Security was another benefit. As Komax moved its employees to their home offices, it saw a significant increase in attacks. “We can see that Cato has been reacting very strongly to protect our network,” says Rölz. Cato’s support has also been a relief. “Cato is able to support our issues in all our locations 24 hours a day,” says Sollberger, “This lets us focus on more important goals, such as helping our customers achieve better quality and operations.” Setting up new sites on Cato is quick and easy. “We can set up new sites and VPN users in minutes or hours,” says Rölz, “and Cato’s agility is helping us adjust the network, bandwidth, and traffic prioritization easily as we migrate step-by-step to the cloud. With Cato, we can even address traffic in the specific country where the cloud solution sits,” says Sollberger, “and it’s easy to increase capacity bandwidth in each site to scale. This helps us improve performance and response times and makes the cloud service much better to use.” Rölz feels that Cato is very in tune to Komax’s needs. “They really listen to us, consider our needs, and adapt to them. It’s a real partnership.” “I’m convinced Cato’s architecture is the future of the WAN,” says Sollberger. “It’s great to be part of it.”  

Accounting Firm Boosts WAN Reliability, and Security, Cuts Costs with Cato The Challenge: Reliable, Secure Office Connectivity Few organizations are as deadline driven as accounting firms, especially during tax season and around other tax milestones. They need fast, reliable networks connecting office locations with cloud applications, mobile staff, and each other to get their clients’ work done on time every time. At a time when most accounting applications have moved to the cloud, MPLS just doesn’t make it as a WAN solution anymore. It’s too rigid, expensive, cloud unfriendly, and in the case of a major North American accounting firm, unreliable. The firm had connected 34 of its offices via MPLS. Security at each location was provided by firewall/IPS appliances, but they were used mainly for direct Internet access (DIA). “MPLS went down enough times that users became accustomed to firing up their mobile VPN clients for communication even though they were inside the office,” says the firm’s Senior Network Engineer. “When an interruption happened close to April 15 it was really disruptive, and disruptions cost money.” “MPLS went down enough times that users became accustomed to firing up their mobile VPN client for communication even though they were inside the office,” As corporate accounting applications moved to the cloud, more and more of the firm’s traffic became cloud based. “We had to go over the Internet for the cloud traffic, so it was getting to where nobody really liked MPLS,” says the network engineer. “The only reason we kept it as long as we did was for contractual agreements and QOS for voice and video.” Until recently, the firm relied on on-premises VoIP from a well-known provider. However, when it moved to a major voice and videoconferencing cloud provider, MPLS looked even more obsolete. “At that point it became clear: Why use a slow, expensive, less reliable circuit when you could get faster, more reliable circuits a whole lot cheaper?” The network engineer had heard “rumblings” about SD-WAN but didn’t know much about it and assumed the technology needed time to mature. When voice and video moved to the cloud, he decided to take a good look. “My feeling was that there is no such thing as genuine QOS over the Internet. I was looking for a platform that would handle QOS as best as it could be handled.” Firm Looks at SD-WAN Alternatives, Falls in Love with Cato The firm went to its VARs and other partners for advice. One recommended another cloud SD-WAN provider and one recommended the Cato SASE platform. “He said, ‘Knowing your company like I do I think Cato would be a great match,’” says the network engineer. More people seemed to know about the other provider so he decided to try them first. “We wanted a solution that was simple, configurable, secure, and that offered some type of QOS,” says the network engineer. The firm set up units in the datacenter and two locations and ran file copy jobs to see how fast and consistent the performance would be. It also tried various ways to “break” the network to see how easy it would be to use the management software to find the source of the problem. It wasn’t pretty. “The other vendor’s software was too complex, with too many dials,” says the network engineer. “They also pointed us to either our existing security platform or another vendor for security. We didn’t like that.” Their partner security vendor’s interface was also complex. “Both were the types of GUIs you would have a lot of trouble with if you didn’t use them every single day.” The company decided to run Cato through the same tests. It set up Cato Sockets at the datacenter and the same locations as it had with the other vendor. Cato connects all global enterprise network resources — including branch locations, mobile users, and physical and cloud datacenters — into a single secure, global, cloud-native network service. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of robust security services to protect all traffic, including anti-malware, next generation firewall, and IPS. Connecting a location to Cato is just a matter of installing a simple preconfigured Cato Socket appliance, which links automatically to the nearest of Cato’s more than 60 globally dispersed points of presence (PoPs). At the local PoP, Cato provides an on-ramp to its global backbone and security services. The backbone is an affordable MPLS alternative, not only privately managed for zero packet loss and five 9’s uptime but also equipped with WAN optimization to dramatically improve throughput. Cato monitors network traffic and selects the optimum path for each packet across the Cato backbone. Mobile users run across the same backbone, benefiting from the same optimization features and improving remote access performance. “We got pretty far with the first Cato installation without any help, and the few questions I had were answered quickly,” says the network engineer. “When it came to the other two locations, we didn’t even have to call Cato. It was so easy compared to the other vendor solution, which required a lot of tweaking. That’s when we started to fall in love with Cato.” Compared to the other solution, the Cato file copy tests were much more reliable. “The consistency was amazing, almost like a flat line,” says the network engineer. “It really made Cato look good.” Cato’s management GUI was also much easier to use. “Cato didn’t have all the dials the other one and its security partner had, but it had all the controls that mattered,” says the network engineer. “And it was really simple, without all that distracting configuration to worry about.” He showed Cato to his risk and compliance team and they really liked Cato’s interface and capabilities too. “Setting up the network, firewall and other rules was really intuitive. And I love how I can go into the Cato portal, make some changes and watch them take effect in real time.” Compared to the other solution, the Cato file copy tests were more reliable. “The consistency was amazing, almost like a flat line,” says the network engineer.  The network engineer was especially impressed with Cato’s event discovery feature. “Whoever designed that should get a raise. That’s the detail we’re after,” he said. The firm also sent Cato some service tickets. In most cases Cato called back within five minutes It became clear that Cato would enable the firm to rid itself of both MPLS and its current related security infrastructure.   [caption id="attachment_13995" align="alignnone" width="1920"] With Event Discovery, customers can identify root cause in minutes by easily querying their routing, security, connectivity, and system event data.[/caption] Easy Rollout, Lots of Reliability and Savings The firm rolled out Cato to all the other locations that had had MPLS. “The deployment was so easy that in most cases the local receptionist was able to install the socket with a little help from a how-to with pictures we prepared in Microsoft Word,” says the network engineer. “We would get on the phone with them and just say, ‘do step one, now do step two, etc.’ In many cases it took five minutes.” “The deployment was so easy that in most cases the local receptionist was able to install the socket with a little help from a how-to with pictures we prepared in Microsoft Word. The firm installed a high availability configuration in the datacenter and didn’t have to consult Cato at all. An issue with a vSocket for Azure was fixed in time. “Every company and install will have a few problems, but Cato really took ownership of that one and kept us informed until it was resolved.” The firm is also looking at using Cato’s mobile VPN capabilities down the road. “We love that Cato would give us IPS at the PC level, all tied into the Cato portal,” says the network engineer. “We could manage our offices and end users from one location. Why give the money to our current provider?” Cato was also inexpensive compared to MPLS, particularly compared to upgrading and managing all the current routers and security appliances at the company’s locations. “We were going to have to upgrade all those appliances soon and now we don’t have to buy all that new hardware and licensing,” says the network engineer. Cato was also more reliable. “We’ve had six or eight of those appliances die on us and it seemed it was just a matter of time before the others died too,” says the network engineer. “Why bother keeping them when Cato could do all that for us?” It was great to be able to get rid of all that hardware. “Now that we didn’t have to do all that complex routing we could even buy switches at a lower license level, saving us $1,000 per local switch.” Cato was also more secure. “With MPLS we had almost no office-to-office security. An internal security audit concluded we needed to improve that and since everything now goes through the Cato cloud we have.” The network engineer also finds the way rules are configured in Cato inherently more secure than that of his previous appliances. “With Cato you start by denying all traffic and then you build exceptions. With our previous solution it was the opposite, so sometimes we allowed traffic we didn’t mean to allow.” In all the switch to Cato has been a great success. Says the network engineer, “It saved us money, it simplified our network, it made things faster and more reliable, and it gave us a lot of network insight.”

Van Leeuwen international distribution company replaced its 85-site MPLS and VPN network with the global SASE As they’ve adopted cloud and mobile computing, more and more organizations have found their traditional MPLS networks rigid, cloud unfriendly, and expensive, while Internet-based Virtual Private Networks (VPN’s) have proven unreliable and a bear to secure and manage. Many are finding an affordable alternative in secure access service edge (SASE) services based on SD-WAN. A perfect example is Van Leeuwen Pipe and Tube Group, which replaced all its MPLS and VPN services with SASE. “We had built and managed a VPN-based network ourselves,“ says Wiljoh Beukers, Manager Technical Support at Van Leeuwen Pipe and Tube Group. “In practice, it was not the reliable network we needed for our international operations. The MPLS network was stable, but with increasing demand for bandwidth and growing use of cloud applications, we were facing a substantial increase in cost for the lines. So when our MPLS contracts were about to expire, we decided to look into the promising world of software defined wide area networks (SD-WAN).” The company sought a reliable, secure, lower-cost network alternative to connect all its locations, enhance network agility, and eliminate the complexity of securing its own VPN infrastructure. “Security was an important precondition for us, says Beukers. “With our old MPLS-based network, we had to secure all connections between the individual lines ourselves.” The company turned to Videns IT Services, a leading network-independent service provider of managed SD-WAN solutions, for help. The experts at Videns recommended Cato, the first SASE solution to converge SD-WAN and network security capabilities into a global, cloud-native platform. Read the full case study to learn more about Van Leuwen’s experience and lessons learned while deploying Cato and working with Videns.    

Low & Bonar Replace Global MPLS with Cato SASE Service from IPknowledge From traditional WAN to global network in the Cloud Organizations are constantly on the move. But to be agile, having a flexible network infrastructure is crucial. This certainly applies to organizations such as Low & Bonar, who have international offices and do business all over the world. Mergers and acquisitions have completely changed the business environment within a few years and have created challenges in the areas of costs, management, and digital performance. International WAN Challenges Was it wise to continue the relationship with the telecom company, which was chosen in 2013? With this question, the preparation of a quotation request to several suppliers started in 2018. One thing was certain, namely that the world of international infrastructures had completely changed. It had to be done better, faster and above all cheaper. Due to acquisitions from the past, the L&B IT infrastructure contained a relatively large number of different systems and applications, which resulted in a high management burden. Low & Bonar uses, amongst other things, an Oracle (JD Edwards) ERP system that is hosted on centralized servers in Arnhem. The Intex ERP system is also used for specific business processes (weaving industry). SAP ERP is also used. Other important business applications are also hosted in the central data center in Arnhem. In addition, its own IT department was too dependent on the current supplier. “Creating new locations or change requests did not always go smoothly,” is how Paul Visscher, Head of Infrastructure and Security at Low & Bonar, puts it. The performance of the international network was also very different between the countries. For example, in China, the data first passes through a firewall controlled by the Chinese state. A dedicated bandwidth was needed here anyway, but later it turned out there was an even better alternative. Making choices for the right solution It soon became clear that this time it was not about simply renewing the MPLS network of the telecom provider. Partly due to the new possibilities of SD-WAN technology, there suddenly appeared to be many options. MPLS, Internet and even wireless (4G) connections in combination with various SD-WAN technologies. For Paul Visscher there was something else that was important, namely the ‘co-managed’ model offered by IPknowledge and Cato. As a result, the control and direction of the WAN came primarily by himself and, without management costs. “As a result, I literally have flexibility and scalability in control, which is better for us than a fully managed environment of a traditional CSP, Communication Service Provider or Telco,” he explains…. Read the complete case study to learn more about Low & Bonar’s experience and lessons learned while deploying Cato and working with IPknowledge. Available in Dutch here.

Global Food Supplier Uses Cato Cloud to Ensure Global Performance, Security and High Availability The Challenge: Improve Network Security and Availability Without Compromising Performance or Agility Manufacturers know all too well the pains of relying heavily on global VPNs. They might be more cost-effective than MPLS, but performance is very unpredictable, and setting up numerous VPN connections, is too time consuming. And none of that touches on the problem of providing local security. These were precisely the challenges facing Global Food Supplier. The company, which asked to be anonymous, develops and delivers healthy feed solutions for fish. It operates 31 manufacturing facilities and offices across Europe and the UK, in Central and South America, Tasmania, and now in China. Prior to coming to Cato, the company ran its own network, connecting locations primarily via a VPN between on-site firewall appliances. Some MPLS links were used to connect several sites. As the company matured, it grew through acquisitions, and with that came the need to update its connectivity and security options. The impending expiration of many of the sites’ license-support for the firewalls drove the company to reassess its security approach. The existing firewalls lacked the capacity to meet the company’s needs and would have required massive upgrades. Otherwise, the company would have had to disable critical services, such as virus scanning and SSL traffic scanning. The company knew it needed to enable advanced security globally, but the cost to do so with firewall appliances was very high. Availability was another critical concern. High availability was only set up in offices in a few countries, leaving the remaining locations exposed with single points of failure. What’s more, the company had little visibility into the network’s operations. If users had performance issues, or worse, the site experienced a network failure, the IT team lacked the insight to know what was going wrong. And as more applications began moving into the cloud, the company needed additional solutions for WAN optimization, and to reduce latency for applications such as SharePoint, team collaboration, email and M3 (ERP). Cato’s SASE Platform Provides Significant Advantages The company’s IT team made the pitch to executive management: standardize on Cato Networks’ global solution to benefit from several advantages. First, every site would be configured for high availability by installing redundant, cost-effective Cato Sockets, Cato’s edge SD-WAN appliances. Second, advanced security is fully converged into Cato’s SASE platform. The company’s network would be continuously monitored and scanned to detect suspicious traffic. Global performance was also key. Cato includes WAN optimization in its global private backbone. By contrast, the existing VPN offered very poor performance in several countries, especially China, Costa Rica, Chile and Ecuador, due to its dependence on the public Internet. This made access to global systems like Office 365 and M3 almost useless. Network visibility was another advantage offered by Cato. The company would now have deep insight into the performance of all last mile connections. Cato provides real-time and historical graphs for throughput, latency, jitter, and packet loss. The company would also have centralized management 24x7 support and monitoring. Finally, there were the cost savings of going with Cato. With Cato’s global private backbone, the company would be able to eliminate all MPLS circuits. And with Cato running security in the cloud, the company would avoid hardware upgrades of its legacy firewalls. How Going with Cato Led to Consistent Performance and Security Worldwide The company wanted a single global solution that could connect and secure all offices and production facilities in a consistent manner. Also, the company lacked internal expertise to support this network, so an external technology partner was needed to make configuration changes and keep the network running. “We had some discussions about going with a global MPLS solution, but we knew we would always end up somehow with more than one supplier and multiple points of contact because of all the countries we are in.” “We had some discussions about going with a global MPLS solution,” says the IT manager, “but we ruled out that option because even though we would theoretically get one supplier, we knew we would always end up somehow with more than one supplier and multiple points of contact because of all the countries we are in.” Cato also allowed the company to eliminate all the branch firewalls and VPN connections. Cato Cloud is an affordable MPLS alternative, connecting all branches, trusted business partners, and physical and cloud data centers with an SLA-backed, affordable global backbone. The company’s remote locations connect to the company’s systems via redundant Cato Sockets; remote users connect through the Cato client. With all WAN and Internet traffic consolidated in the cloud, Cato applies a set of security services to protect all traffic at all times. Firewall and other security rules are now centralized in Cato Cloud, so they are easy to manage and automatically updated by Cato. “It’s good to get the automated client and security updates from Cato,” says the IT manager. “We didn’t have updates from our firewall vendor—ever. Now we have everything updated centrally by Cato. This ensures we always have the latest features enabled to protect our network.” “Once we began our pilot with Cato, we saw that it is much, much easier for us to get high-level support from Cato than we could ever get with our legacy firewall provider" Support also stood out for him. “One of the best parts of our relationship with Cato is the level of support we receive,” he says. “Once we began our pilot with Cato, we saw that it is much, much easier for us to get high-level support from Cato than we could ever get with our legacy firewall provider, even after 15 years with them. They just didn’t care about us, but Cato is very attentive to our needs. We can talk directly to the people who will get our business needs implemented.” [caption id="attachment_13088" align="aligncenter" width="1500"] With Cato, Global Food Supplier was able to connect even hard to reach sites, mobile users, and cloud resources with a single, global network, the Cato Cloud.[/caption] Future Looks Brighter with Cato’s Advanced Analytics Looking toward the future, the company’s IT team plans to set up advanced segmentation of its network and to set priorities for its various applications. “We are looking at how much bandwidth is used by different applications and will use policies to prioritize what’s most important to us,” he says. “With all the insight and visibility we get from Cato, we’re confident we can optimize our bandwidth usage to get even more benefits from our network.”

JUKI Ramps Up COVID-19 Telework, Boosts Remote Cloud Performance with Cato The Challenge: One Network, One Security Solution With users now working from home, enterprises have another reason to be frustrated with global MPLS. Not only are global MPLS services costly, but they’re also unsuitable for connecting the cloud resources consumed by the legions of remote and mobile users. The global Internet is of little help; it’s far too unpredictable. And having sites in China only limits the number of connectivity options. What then can an IT leader do to eliminate the high cost of MPLS while still meeting the needs for predictable, global secure connectivity that will meet the necessary regulations? “To get the best performance we needed to connect all our locations to a single network with uniform security, including locations that hadn’t been connected previously.” This was precisely the challenge facing Yoshiaki Kushiyama, Senior Manager of Information Systems for JUKI Ltd. The global manufacturer of precision equipment and needles for industrial and household sewing machines needed to deliver affordable, global access to Microsoft Office 365. “We had a plan to deploy Office 365 to the entire organization,” he says. “To get the best performance we needed to connect all our locations to a single network with uniform security, including locations that hadn’t been connected previously.” Cost and regulatory compliance were of big concerns. “We sought a solution that would cost as little as possible to deploy and maintain and we needed to comply with stringent VPN regulations in China,” says Kushiyama. Achieving these goals, especially uniform security, was a challenge. “We didn’t have a clear understanding of what security equipment was installed at each location and who controlled what nor the bandwidth and connectivity available at each,” says Kushiyama. “We were also concerned about cloud security since we were deploying Office 365. We had to ensure that the Microsoft applications would be accessible from the company network only.” Kushiyama had also heard that Office 365 deployment could increase bandwidth requirements up to five or ten times. “We wanted centralized network and security visibility, with the ability to upgrade bandwidth quickly if needed.” JUKI Seeks SD-WAN Solution, Chooses Cato Kushiyama knew that SD-WAN was a technology worth exploring when it came to deploying Office 365. “I had heard that SD-WAN, with its flexible deployment and management, was the right technology to get the best performance out of Office 365,” says Kushiyama, “so I started looking for SD-WAN solutions from vendors familiar with Office 365.” Kushiyama contacted an SD-WAN vendor recommended by a colleague and got an introduction to that product. Two months later, Kushiyama was introduced to Cato. “Listening to the company reps, I found Cato’s solution immediately appealing, so I compared both solutions carefully,” says Kushiyama. He was a little wary because at the time, Cato hadn’t been deployed by many Japan-based organizations. “When comparing all the capabilities, however, Cato’s had an overwhelming advantage and met all our requirements, so I was eager to deploy it and promoted it to senior management,” says Kushiyama. “They too were worried about the lack of a track record in Japan, but eventually they approved the Cato solution.” “Cato offered an environment where remote work could be done immediately and successfully using Office 365, letting employees do the same work that they did in the office,” says Kushiyama. “It also let us collaborate face-to-face easily with Microsoft Teams. This gave Cato a great reputation with senior management.” COVID-19 hit in the middle of the evaluation process and Cato’s fast, easy home and mobile VPN deployment helped to tip the scale in the company’s favor. “Cato offered an environment where remote work could be done immediately and successfully using Office 365, letting employees do the same work that they did in the office,” says Kushiyama. “It also let us collaborate face-to-face easily with Microsoft Teams. This gave Cato a great reputation with senior management.” Kushiyama was also impressed that with Cato, the same consistent level of security could be maintained for both the corporate WAN and the Internet. The use of the Internet for WAN connectivity rather than a dedicated line would enable JUKI to keep its network costs down. Cato Delivers Easy Deployment, Fast Performance, Low Cost Deployment of Cato across all JUKI’s global locations was fast and easy, requiring the installation of a simple Cato socket at each. “I went around with another person to each location to deploy the solution,” says Kushiyama. Cato connects all global enterprise network resources — including branch locations, mobile users, and physical and cloud datacenters — into a single secure, global, cloud-native network service. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of robust security services to protect all traffic, including anti-malware, next generation firewall, and IPS. Connecting a location to Cato is just a matter of installing the simple preconfigured Cato Socket appliance, which links automatically to the nearest of Cato’s more than 60 globally dispersed points of presence (PoPs). At the local PoP, Cato provides an onramp to its global backbone and security services. The backbone is not only privately managed for zero packet loss and 5 9’s uptime, it also has built in WAN optimization to dramatically improve throughput. Cato monitors network traffic and selects the optimum path for each packet across the Cato backbone. JUKI’s 2742 mobile users run across the same backbone, benefiting from the same optimization and security features. Cato’s mobile VPN capabilities were the most immediate benefit of the solution for JUKI, allowing employees to work at home with the same performance, and security they had at the office. “Before Cato, the head office had no system for remote working at all,” says Kushiyama. “COVID-19 forced us to find one. With Cato all we needed to do was increase our VPN license and have each group company that was sending staff home install the clients. The move to remote work was so quick and smooth.” “The big difference between Cato and other solutions is the integration of network management and security” Fast connectivity among all the company’s locations was also a major benefit, together with the ability to monitor network connectivity and security from a single console. “The big difference between Cato and other solutions is the integration of network management and security,” says Kushiyama. “It’s great to be able to grasp and respond to both network status and security at the same time on a single screen.” Kushiyama also liked that he could increase network bandwidth easily as Office 365 use grew. “The more we use Office 365 the more bandwidth we need,” he says. “With Cato we just ask for more bandwidth and get it almost immediately. There’s no equipment or infrastructure to upgrade.” [caption id="attachment_12921" align="aligncenter" width="947"] The Juki global network — 2742 mobile device and 37 sites all connected by Cato’s global private backbone.[/caption] Kushiyama and his team have also improved Juki’s security by reducing dwell time and the number of malware infections. “The malware detection rate at the head office has dropped dramatically,” he says. “If there is an infection at a location, it’s visible at the head office so we can alert them and deal with it quickly.” As for cost savings, Kushiyama estimates that cost Cato provided a return on investment (ROI) that was five to ten times higher that of MPLS. In all, JUKI’s switch to Cato has been a great success. Says Kushiyama, “The combination of Cato and Office 365 made all the difference in JUKI’s ability to handle the COVID 19 pandemic and communicate across all company locations and employee homes as if we’re all in the same office.”  

Global Sales and Distribution Firm Replaces Backbone Provider with Cato, Cuts WAN Costs in Half The Challenge: Fast, Reliable, Cost Efficient WAN Global sales and distribution firms need fast, reliable connections among locations to get business done and stay competitive. Such is the case with this leading sales and distribution company in the fast-moving consumer goods (FMCG) sector. “We had two MPLS links with failover at each business unit,” says the CIO, “but it seemed as if one line was always down for maintenance or some other issue.” The firm has a portfolio of local and global brands that it sells and distributes through office locations in the Caucasus, Southwest Pacific, Middle East, and Southern Africa. Before Cato, it connected offices via MPLS and then a legacy global backbone provider. Carrier MPLS was expensive and establishing new lines between branches took a long time. “We often had to wait more than three or four months for a new connection,” says the company’s CIO and VP of IT. Reliability was also less than perfect. “We had two MPLS links with failover at each business unit, but it seemed as if one line was always down for maintenance or some other issue.” Fed up with carrier MPLS, the company switched to the legacy, global backbone provider. “The performance and reliability improved, but bandwidth was only 2 Mbit/s and the service was still expensive,” says the CIO. At two days, deployment was considerably faster, but required some tech support and configuration of access control lists, policies, and BGP. CIO Investigates SD-WAN, Chooses Cato Always on the lookout for an easier, less expensive alternative, the CIO turned to his partner IT firm to investigate SD-WAN providers. Eventually, he decided to set up a Proof of Concept (POC) deployment with Cato in Georgia and New Zealand. “With our partner firm, we ran a lengthy POC because we wanted to check everything out, including the availability, SLA, support response time, end-to-end service, and, of course, the actual user experience,” says the CIO. “Our current solution had features such as data optimization and caching to optimize the user experience. We wanted to make sure Cato could provide equivalent capabilities.” Cato connects all global enterprise network resources — including branch locations, mobile users, and physical and cloud datacenters — into a single secure, global, cloud-native network service. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of robust security services to protect all traffic, including anti-malware, next generation firewall and IPS. Connecting a location to Cato is just a matter of installing a simple preconfigured Cato Socket appliance, which links automatically to the nearest of Cato’s more than 55 globally dispersed points of presence (PoPs). At the local PoP, Cato provides an onramp to its global backbone and security services. The backbone is not only privately managed for zero packet loss and 5 9’s uptime, it also has built in WAN optimization to dramatically improve throughput. Cato monitors network traffic and selects the optimum path for each packet across the Cato backbone. Mobile users run across the same backbone, benefiting from the same optimization features and improving remote access performance. “The huge increase in bandwidth with Cato will come in very handy when we adopt Office 365 and have to distribute Windows upgrades to all our systems,” The firm started with a 50 Mbit/s Cato link and was immediately pleased with the results. “Much to our surprise the user experience was the same or better than with our current provider,” says the CIO. The company relies to a great extent on SAP for its ERP application and SAP performance was fast and reliable. “The huge increase in bandwidth with Cato will come in very handy when we adopt Office 365 and have to distribute Windows upgrades to all our systems,” says the CIO. Happy with performance, the CIO considered other added value the company could get with Cato compared to its current provider and other market alternatives. “Unlike our former provider, Cato came with a management console that let us monitor and control WAN traffic and configure DNS and some aspects of routing,” says the CIO. “With the current provider we had to open up a support ticket and wait for them to make those changes.” The CIO also liked the analytics dashboard and his experience with Cato support was excellent. “Any issues that came up were resolved very quickly.” Sold on Cato, the CIO moved on to contract negotiation and found that a positive experience as well. “The Cato sales division was very flexible,” he says. Fast Deployment, Lots of Icing on the Cake The company replaced all its current WAN connections with Cato. Deployment at each location was surprisingly quick. “With our legacy global, backbone provider, we needed their help setting policies, setting up ACLs, and configuring BGP. It took a few days,” says the CIO. “With Cato, setup took only a few hours. All we had to do was plug the appliance into the router port and watch it connect automatically to the nearest Cato PoP.” "Amazingly, even with Cato’s bandwidth, performance, management, and monitoring, the company was able to slash connectivity costs by 60 percent. That alone is a huge win for us,” says the CIO. However, the CIO is also excited about taking advantage of Cato’s security and remote access capabilities down the road, saving even more money and managing it all under a single interface. “We’re looking at using Cato to replace our current firewall, VPN, and unified endpoint solution, which is very expensive right now” says the CIO. “Getting all those services in one package would save us a lot in costs and be much less complex in terms of management. We can only win.” The company plans to investigate all these possibilities when it gets into the next budget creation process. Cato’s fast cloud access and integration are other features that intrigue the CIO. “We’re looking at moving to a hybrid cloud IT architecture based on AWS, Salesforce, and Office 365 with Microsoft Azure as well, so that’s three different cloud solutions.” All in all, Cato has been a big win and there are more wins to come.

Baltimore Aircoil Replaces MPLS with Cato, Improving Voice Quality, Enabling Video Conferencing, and Increasing Agility The MPLS Problem: Too Expensive and Too Short on Agility Manufacturers know all too well the challenges of global MPLS — the delays, the high bandwidth costs, the lack of insight. Alone, such attributes pose significant problems for any company. But add in the need to spin up new sites rapidly, and it's easy to see why a global manufacturer, like Baltimore Aircoil Company (BAC), would look for a better solution. A leading manufacturer of cooling systems, BAC’s cooling towers reduce the temperature in large manufacturing plants and provide the cooling effect of air conditioning used by businesses in office blocks worldwide. The company operated three MPLS networks, connecting 20 sites across Europe, North America, Russia, China, Australia, and South Africa. The three networks were interconnected in a datacenter in Brussels. As business transformation progressed within BAC and IT usage grew, the infrastructure team became increasingly frustrated by the lack of agility to respond to new demands. There was insufficient bandwidth to adequately handle the new rollout of VoIP and video in North America. "Traversing a 10 Mbps MPLS connection has too many checkpoints before getting out to the Internet," says infrastructure manager Keith Tripp. At busy times of the day, this has a severe effect on everyone's VoIP conversations – with no easy solution. "You can't just call your MPLS provider and say I want any extra 20 megs tomorrow,” he added. “You can't just call your MPLS provider and say I want any extra 20 megs tomorrow.” In Europe, BAC sales offices liked to relocate whenever they found a better location. The most significant delay to this process came from IT, which needed three or four months to relocate the MPLS circuits. "Hopefully, we would get at least one of the circuits on time," said Michael Devogelaere, BAC IT manager infrastructure, "but sometimes it was the backup circuit that arrived first, with the main circuit a few months later." However, a significant concern with its European provider occurred at the Paris site. Here, one of the provider’s subcontractors changed from copper to fiber, and the MPLS provider demanded a new multi-year contract from BAC. "We did not understand why we should sign a new contract when a subcontractor arbitrarily changed its technology," said Devogelaere. Then there were the security concerns. Although the MPLS included firewalls, BAC had no direct control over them – and the firewalls and firewall rules differed between the different MPLS providers. Luc Derveaux, BAC’s global manager of information protection, was concerned that he could not personally respond to the data warnings provided by the firewalls. “The only real security we had was on the VPNs,” he added. Troubleshooting was also complicated by having to juggle different interfaces when trying to solve a problem. “With separate MPLS and firewall architecture, all information was available in different locations,” says Michel Neuts, the network engineer who architected BAC’s new network. “It was difficult to correlate the information, which meant that we needed more time to diagnose problems.” Permeating all the problems that BAC faced with its MPLS networks was the lack of agility – the inability to respond at speed to new requirements. Large scale, rapid development of work-from-home was one example. But so was troubleshooting real-time problems. “If we had a problem like the quality of a global video conference it would have meant waiting as we opened tickets with each of our MPLS providers,” says Neuts. Searching for a Solution, Finding Cato BAC knew that its existing problems would only get worse over time. It started looking for alternatives. The easiest option would be a simple switch to using the Internet directly, but this was immediately rejected. “You need a solution that provides support,” explains Derveaux. “If you get an Internet problem between Australia and North America, who can you go to for help?” “You need a solution that provides support. If you get an Internet problem between Australia and North America, who can you go to for help?” The existing MPLS providers were asked about their SD-WAN offerings, but the BAC team found that the offerings were always dependent on at least one physical line – keeping the company tied to MPLS. Instead, the company investigated several alternative options. Some new offerings appeared promising but were considered untested and not market ready. Others required significant new investments in infrastructure. Then a network engineer who had been tasked with finding a new WAN solution suggested Cato Networks. Cato’s Solves BAC’s Network Problems After a brief PoC, BAC decided to go with Cato. With Cato, BAC reduced network costs by about 60% and significantly increased capacity. In Australia, for example, bandwidth more than doubled from 20 Mbps to 50 Mbps. The bandwidth improvements were even greater elsewhere. In Milford, California, it increased fivefold from 10 Mbps to 50 Mbps. "With Cato, BAC reduced network costs by 60% and increased capacity by as much as 5x" With Cato, BAC gained a single-pane-of-glass into the entire network. “I especially liked having all information available in one dashboard, one portal,“ says Neuts. “We now have much more information on how our network is behaving then we did before.” Derveaux’s concerns over security were also alleviated. “Going to Cato, we could see directly into the traffic and say, ‘There's a problem here, there's something wrong there,’” he said. He particularly liked Cato’s ability to drill down into networking and security events. “I checked it every day for several months,” says Derveaux. [caption id="attachment_12026" align="aligncenter" width="977"] With Cato’s Event Discovery screen, like this one, BAC is able to rapidly filter through all connectivity, routing, security, system and Socket management events across its global network. In this case, for example, a user filters security events (1) are filtered, looking for traffic to the URI /atomic.php, which is associated with Andromeda (2). The main view (3) displays the raw results.[/caption]   But it’s the increase in agility that stands out. With Cato, BAC could resolve global problems in real time. “When we first decided to stream a monthly webinar to our 300 or so remote employees, we chose to do it across as live event across our video conferencing platform. Now live events are a bit different than your typical video conference; they’re in one-direction where users can see the speaker not vice versa. Apparently, the provider changes up their protocols a bit as a result. “During the event users starting complaining about the very poor video quality. That’s unusual for this platform. So right then I opened the Cato portal and went into the real-time events page. I could see that the traffic was not being categorized as real-time video traffic but as web traffic, which meant that the QoS level wasn’t what it should be. I changed live events on this video conferencing platform to real-time video and, instantly, users across the globe saw a noticeable difference. There’s no way we could have done that as quickly with our MPLS network.” Another example came when BAC moved a server to a new location. “When we relocated a server from Germany, we found it was getting a bit slow because we hadn’t considered the SMB traffic – with Cato, we were able to just change the priority of that SMB traffic. We could have done this with the other providers, but we would need to ask them, possibly pay a fee, and wait for it. With Cato, we just did it,” says Devogelaere. “With Cato, we just did it.” Perhaps the most prominent example of the new agility came with the COVID-19 pandemic. “When we saw how bad it was in New York,” said Tripp, “we went to HR and said we need to do something. We gave our staff a Wi-Fi stick and headphones and told everybody they could work from home. From an IT perspective, it didn't matter whether people were at home or in the office. “Cato enabled us to keep the lights on during the pandemic.” “Because of the pandemic,” he continued, “I would say that the VPN part of Cato was probably one of the biggest benefits. Previously multiple VPNs would come into one MPLS circuit and suffer bandwidth issues. Before Cato, the engineering team was unable to send CAD drawings via a VPN. Cato SDP [Cato’s remote access solution] made it possible. Cato enabled us to keep the lights on during the pandemic.” What’s Next? BAC is particularly happy with Cato’s support services. “The speed at which Cato was adding new features was really surprising,” said Devogelaere. “We really felt that we were part of the development of the product.” Two future options have already been considered. The first is the ability to publish an application using the clientless option of Cato SDP. “We have a requirement for some external people to access to resources and our network, but we don't feel comfortable with having a computer that has a security policy that we don't know accessing our resources,” said Devogelaere. “If they can do that via jump hosts or something similar, that would be good from a security perspective for us.” [caption id="attachment_12027" align="aligncenter" width="1100"] With Cato, BAC replaced its global MPLS network, remote access, and security appliances with a single, converged solution.[/caption] Another future option that has been considered by BAC is Cato's Managed Threat Detection and Response (MDR) capability. With the customer already connected to Cato, Cato can deliver zero-footprint detection of persistent threats without requiring customers to install additional appliances. Cato MDR uses machine learning algorithms combined with human verification of detected anomalies, with the availability of Cato experts able to guide customers through any necessary remediation. BAC doesn’t need Cato MDR today, but for Devogelaere and the rest of the BAC team, being able to enable MDR and other Cato capabilities instantly was a “welcome change” from the delays and headaches of MPLS.

KRAMP streamlines networking and security with a managed Cato SASE solution by Videns From Legacy MPLS to SASE Kramp operates right across Europe, with offices in many countries from Russia to the United Kingdom and from the Nordics to Italy, as well as a purchasing office in China. Kramp has undergone strong growth in recent years, both organically and through a number of acquisitions. This resulted in a situation where the company had to maintain and manage multiple, different WAN and security solutions and technologies, which was highly inefficient in terms of cost and labor. For security purposes, Kramp used multiple on-premises solutions from Sophos and Cisco. Jos Nieuwenhuis, Enterprise Architect at Kramp: “In our WAN landscape, a number of branch offices were connected via outsourced MPLS connections and other branch offices via VPN connections in combination with internet connectivity which we managed in house. At some locations, we used internet connections that were sourced locally which made it even more difficult to communicate with the provider.” Key highlights from Jos: "The fact that connectivity and security are combined within one single solution will help us drive down cost and improve our internal customers’ experience.”   "Traffic optimization within the managed SASE network ensures that we need less bandwidth than before. This built-in efficiency allows us to minimize the costs of our WAN without sacrificing performance."   "Thanks to the consolidated solution, we were able to phase out various security point solutions and terminate service contracts we no longer needed." Read the full case study

Boyd CAT Doubles Network Performance, Boosts Agility with Cato The Challenge: Slow Application Performance, Poor Visibility Retail dealerships face unique challenges in an era of digital transformation. To run their businesses today, they need fast, secure WAN connections from dispersed retail locations to applications in the corporate datacenter and the cloud and to manufacturing partners. Such was the case with Boyd CAT, a Caterpillar heavy equipment dealer. The company’s 20 retail locations were spread across Kentucky, Southern Indiana, West Virginia and Southeastern Ohio. All were connected to datacenters in Louisville, Kentucky and Belle, West Virginia using 10 Mbits/s MPLS connections. Its ERP application, Microsoft Dynamics AX, ran in the datacenter. Security was provided by datacenter firewall appliances, which also handled mobile VPN access, and a second firewall from the company’s MPLS carrier. With its expensive MPLS-based communications architecture, capacity was undersized and application performance often suffered, impacting customer service and other aspects of the business. “With MPLS, our branches were always complaining about slow performance”  “With 10 Mbits/s MPLS connections, our branches were always complaining about slow performance,” says Boyd CAT Communications Analyst, Matt Bays. All of those expensive MPLS connections also relied on local last mile connections, which could be erratic. “Dealers in Kentucky and West Virginia suffered frequent dropouts,” says Bays. “If there was an interruption, we’d often have to contact the MPLS carrier which would then have to get us to the local last-mile provider.” Sometimes resolving performance and dropout issues could take days. When connections dropped, retailers could not access the company’s Azure based Microsoft Dynamics AX ERP application. Even when the connection was up, ERP performance could be painfully slow. “All of our print servers are in Louisville, so if someone needed to print a customer invoice, the data would have to travel first to the MS Dynamics AX servers in the Louisville datacenter, and then all the way back to the retail branch,” says Bays. “At certain locations, the last mile provider might be running at only 3 or 6 Mbits/s, so it could take forever just to print a simple document.” To add to performance issues, there was no easy way to manage bandwidth allocation, so application performance would degrade even more when Windows operating system updates hogged the already slow connection. “On the second Tuesday of every month, our Windows update server would update all the laptops and desktops and everything else would slow down to a crawl,” says Bays. Boyd CAT also had to limit or prohibit use of streaming applications such as music services and YouTube to keep things running smoothly Visibility with carrier MPLS was limited, so it was difficult to troubleshoot performance issues. “We often couldn’t figure out if the problem was the application or the data circuit,” says Bays. Firewall management was also cumbersome. “To allow secure access to a new location from Caterpillar and our numerous other providers we’d have to go through our system admins who would have to get online and submit a request to the carrier,“ says Bays BOYD CAT Investigates SD-WAN, Chooses Cato Things changed when Boyd CAT’s head of IS attended a tech conference where he heard other attendees discussing their SD-WAN solutions. “After that conference, we were tasked with searching out SD-WAN providers and looking into the cost and implications of converting to SD-WAN,” says Bays. Boyd CAT considered Cato and two other SD-WAN providers in the telecom and network appliance spaces, according to Bays. “Immediately Cato seemed like the right fit. The cost was reasonable, the implementation seemed so easy and the visibility was so much better than with MPLS.” Representatives from Cato and Cato’s local Kentucky and West Virginia last mile providers came to Boyd CAT’s offices for a meeting. “That was where we go the final approval to go with Cato.” Cato connects all enterprise network resources — including branch locations, mobile users, and physical and cloud datacenters — into a single secure, global, cloud-native network service. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of robust security services to protect all traffic. Connecting a retail location to Cato is just a matter of installing a simple Cato Socket appliance, which connects to the nearest of Cato’s more than 55 globally dispersed points of presence (PoPs). At the local PoP, Cato provides an onramp to its global backbone and security services. The backbone is not only privately managed for zero packet loss and 5 9’s uptime, but it also has built in WAN optimization to dramatically improve throughput. Cato monitors network traffic and selects the optimum path for each packet across the Cato backbone. Mobile users run across the same backbone benefiting from the same optimization features, improving remote access performance. Fast Deployment, Double the Bandwidth Deploying Cato’s Sockets to each location was incredibly easy. “We ran around to each site, plugged them in, and assigned the license,” says Bays, “The actual cutover from MPLS took seconds.” “The branches were just loving it,” says Bays, “They started fighting over who would transition to Cato next. We were able to discontinue all our MPLS connections.” Thanks to the low cost of the Cato solution, Boyd CAT was able to more than double branch bandwidth, moving to from 10 to 25 Mbits/s. Together with Cato’s optimization and global private backbone, the additional bandwidth led to a dramatic improvement in application performance. “The branches were just loving it,” says Bays, “They started fighting over who would transition to Cato next. We were able to discontinue all our MPLS connections.” “With Cato we can limit the bandwidth used by Windows Update and streaming applications, so they don’t slow things down, and see who is doing what on each circuit,” says Bays. “That really excited us." Aside from sheer bandwidth, other performance improvements came from Cato’s improved visibility and bandwidth management capabilities. “With Cato we can limit the bandwidth used by Windows Update and streaming applications, so they don’t slow things down, and see who is doing what on each circuit,” says Bays. “That really excited us. We also have dual data circuits.” The latter means no more of the dropouts suffered with the last mile MPLS providers. Now it’s no problem allowing users to take advantage of YouTube, which is important because Caterpillar does some of its training via YouTube videos. When there are rare performance issues, Cato’s visibility makes it easy to trace the cause. “We recently had an issue at our Evansville location. I just logged into the local Socket, did a speed test and traced the issue to the application,” says Bays. Boyd CAT’s Helpdesk can also log into Cato’s console to troubleshoot performance issues. A Smooth-Running Business Bays can configure and change network and firewall rules directly through the management console, rather than having to submit a request and wait. “It’s so easy to open up a connection for a partner or use Active Directory groups to determine who can access social media sites such as Twitter and Facebook,” says Bays. Boyd CAT is also using Cato’s anti-malware and IPS capabilities. “They’re working great,” says Bays. “Support is always excellent,” says Bays. “We just click on the support tab and send a ticket and they respond very quickly. We don’t have to call in, go through all those options and not hear back for a few days. We get a quick response and they often follow up to make sure everything is good, which is really nice.” Bays has started rolling out some Cato mobile VPN clients as well. “I love it. You just click a button to connect. When our licenses run out on our current VPN solution, we’ll look into switching all our end users to Cato VPN clients.” The result: Smoother, more secure business processes and enhanced productivity, thanks to Cato. Says Bays, “It’s just been huge for Boyd CAT to be able to get everyone in the business more bandwidth and faster, more consistent performance.”

Focus Services Crushes Call Center Latency, Boosts Security with Cato The Challenge: Call Center Latency Once upon a time, call centers relied on analog telephone lines to deliver the services their revenues depend on. Now that analog lines have been replaced with digital VoIP and call center Automatic Call Distribution (ACD) systems have largely moved to the cloud, fast, reliable WAN connections are critical to call center success. With more call center employees working from home--particularly since Covid-19--fast remote access is a growing requirement as well. Focus Services, a global outsourced call center provider with 10 call centers in North America, three in Central America, and one in the Philippines is no exception. Not only must its WAN connections be fast, stable, and reliable, they must also deliver low latency or else voice quality will degrade, according to Bill Wiser, Vice President of IT for Focus Services. “We were gaining a lot of international business, so better, more cost-effective global connectivity options were vital,” says Wiser. Before Cato, Focus Services relied on carrier MPLS to connect its North American call centers, but had to settle for Internet VPN’s internationally because MPLS options were just too expensive. “We were gaining a lot of international business, so better, more cost-effective global connectivity options were vital,” says Wiser. Latency and poor voice quality plagued its international long-haul VPN connections until Focus deployed an intelligent BGP routing solution. “The solution could monitor and prioritize traffic based on usage and switch providers and routes if latency became an issue,” says Wiser. “It was fairly effective, particularly in the Philippines, where traffic might take 12 to 15 hops to get to the U.S.” However, while latency improved, there were still issues and limitations. “We had to deal with a complex piece of hardware and handle a fair amount of administration, including updates,” says Wiser And while the intelligent routing solution could analyze traffic and switch providers when necessary, it still had to send traffic over the sometimes unreliable Internet. “There were still many times when we had to go in there and promote certain types of traffic manually to mitigate latency issues,” says Wiser, “and the solution didn’t handle inbound traffic nearly as well as outbound.” Focus Services Investigates SD-WAN, Chooses Cato Even though most of the issues lay abroad, Focus decided to begin its SD-WAN and Cato journey in North America initially, then spread the solution to Central America, with the Philippines rollout expected in 2021. “We looked at SD-WAN as a way to get rid of our expensive domestic MPLS circuits and use the savings to add some Internet redundancy with different providers,” says Wiser. “We could then use SD-WAN to offer rollover reliability of the network.” At first, Focus worked with a solution provided by one of its technology partners, but things didn’t go very well. “They were reselling one of the big mainstream SD-WAN solutions,” says Wiser, “but the vendor had little experience with it, so they were struggling. It didn’t seem like the right solution for our call center case anyway.” Wiser sought a more customizable solution, particularly when it came to resilience and one that had a good international presence so he could eventually roll out critical international locations into the solution without much effort. That was when another technology partner introduced Focus to Cato. “They thought Cato could provide all we were looking for, including some of the features of the existing intelligent routing solution we liked, together with all that SD-WAN automation and ease of management.” Cato connects all global enterprise network resources — including branch locations, mobile users, and physical and cloud datacenters — into a single secure, global, cloud-native network service. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of robust security services to protect all traffic. Connecting a location to Cato is just a matter of installing a simple Cato Socket appliance, which connects to the nearest of Cato’s more than 55 globally dispersed points of presence (PoPs). At the local PoP, Cato provides an onramp to its global backbone and security services. The backbone is not only privately managed for zero packet loss and 5 9’s uptime, it also has built in WAN optimization to dramatically improve throughput. Cato monitors network traffic and selects the optimum path for each packet across the Cato backbone. Mobile users run across the same backbone, benefiting from the same optimization features, improving remote access performance. Cato Delivers the Goods It didn’t take long for Wiser to settle on Cato. “We looked at some other solutions but only tested Cato because it was much more cost effective and easier to use than the others,” says Wiser. “The manageability of Cato was also pretty awesome. We love being able to pinpoint network issues and use the visual log to dive into them. We never had this visibility with our previous firewalls.” "Long -haul traffic from international locations to customers in the U.S. now gets MPLS-like performance. That has really helped our sales and deployment." Cato’s converged backbone was another deciding factor, particularly for its Central America locations. “The other solutions were still working off installed lines,” says Wiser. ”We liked that we could get on that WAN that Cato has already put a lot of time and money into and use it to drop out close to the endpoint. Long -haul traffic from international locations to customers in the U.S. now gets MPLS-like performance. That has really helped our sales and deployment.” “It’s pretty awesome to hit that Cato network and see that traffic prioritized all the way through to the cloud, rather than just close to our site.” The fast backbone connection most of the way to its ACD cloud service was a big plus. “QOS was always a struggle before Cato, says Wiser. “It’s pretty awesome to hit that Cato network and see that traffic prioritized all the way through to the cloud, rather than just close to our site.” “Now we can duplicate traffic across both providers rather than just failing over, which is huge when you’re dealing with voice traffic. Voice doesn’t degrade nearly as often as it did before.” Focus also liked using dual active/active ISP routes to the local Cato PoP. “Our intelligent routing solution was just a best route tool,” says Wiser. “Now we can duplicate traffic across both providers rather than just failing over, which is huge when you’re dealing with voice traffic. Voice doesn’t degrade nearly as often as it did before.” Cato Cures Covid-19 WFM Woes Focus didn’t incorporate Cato’s security services at first because it already had its own firewalls, Web filtering, and other security capabilities in place. That all changed when Covid-19 struck. “Like other companies, we had to move a lot of people home for work, including call center reps and our administrative staff. As we added hundreds of work-from-home users to our Cato account, we started ramping up its security services too. Now we’re using Cato’s internal traffic filtering and Web filtering to take over some of the things we were doing with our firewalls. It all happened so fast, thanks to Cato, and was a life saver.” Cato has now replaced Focus Services’ mainstream vendor firewall/VPN solutions, which were originally serving only about 30 admin and IT users. “They were pretty limited compared to what Cato offers.” Cato’s malware protection and IPS are big goals for the future. “Covid-19 slowed us down a bit, so that’s definitely down the road. Before Covid we had lots of great plans, but they were delayed.” All in all, Cato has been a boon to the company’s call center business. “We’re very happy with the product and look forward to expanding its use to the Philippines.

AmesburyTruth Boosts WAN Reliability, Agility, and Security with Cato SASE The Challenge: Fast SD-WAN Deployment, Reliability As legacy WAN solutions prove less and less practical in the age of mobility and the cloud, many organizations have turned to more flexible SD-WAN alternatives to connect office locations to the datacenter and cloud services over a variety of connection types. Securing all those locations requires equipping each site with enterprise-level security solutions. Unfortunately, many organizations have found fulfilling the promise of SD-WAN a challenge, particularly on their first try. Such was the case with AmesburyTruth, a leading global provider of window and door components. The company sought a flexible way to connect 12 of its locations to the datacenter, the cloud, and each other. AmesburyTruth approached a major telecommunications provider, which set it up with an SD-WAN and security solution. To say that the solution did not fulfill its promise would be an understatement, according to AmesburyTruth Chief Information Officer Pat Bayer. “Our legacy SD-WAN couldn’t meet our needs,” says Bayer. “We had every type of problem you can imagine. CPU utilization would go through the roof, appliances would crash, packets would be discarded all over the place. When we needed support, we had to go through the telecom provider, which didn’t know the product very well.” Only when a problem moved high enough in the support chain to the manufacturer, would it be addressed. “It was just a nightmare,” says Bayer. To keep SD-WAN appliances running, Bayer’s staff had to reboot all of them at least once a week. “We spent all of our time trying to implement the previous solution. We still hadn’t gotten there when we decided it was time to move on,” says Bayer. The business impact was considerable. . “We had people dropping calls and company-wide-meetings with long pauses of silence and people dropping off,” says Bayer, “Poor application performance hampered productivity and business agility. AmesburyTruth relied heavily on an ERP application that demanded a reliable, very-low-latency connection. All its branch and remote users depended on fast, reliable connections to datacenter ERP servers for real-time information critical to sales and other business functions. “Our SD-WAN solution just couldn’t deliver on that at all,” says Bayer. Security and management were also a disappointment. “Visibility was almost nonexistent,” says Bayer. “It was extremely difficult to tell if the firewall and other security functions were doing what they were supposed to do.” AmesburyTruth Ends Contract, Finds Cato’s SASE Platform Bayer and his team were through with the legacy SD-WAN solution. That’s when Bayer found Cato, thanks to a camera surveillance provider Bayer was looking to do business with. “We looked at all the SD-WAN and security solutions from major vendors,” says Bayer. “I asked my contact at the surveillance provider if in his travels he had heard of anything that other organizations liked. He said in his experience Cato was the only solution people didn’t have issues with. He was reluctant to talk about anyone else.” Since it had been burned in the past, AmesburyTruth set up proof of concept (POC) deployments for every single solution under consideration. “We really wanted see firsthand what really worked, not just what people said worked.” “None of the other solutions we looked at had the simplicity that Cato’s SASE platform offers,” says Bayer. “We found that really interesting and liked all traffic visualization and analytics Cato provided.” AmesburyTruth deployed Cato at three of its sites for the POC. With its previous SD-WAN solution it would take more than a day to get each site up and running. “Even then we’d come out of the day with an extremely long punch list of issues.” "It was unreal, how Cato just worked where every other system we tried took a lot of configuring and tinkering behind the scenes to get everything to flow right,” says Bayer. “Cato was just head and shoulders above everyone else.”   “Our first Cato site took 30 to 45 minutes to get up and running,” says Bayer. “After that one we were spinning up new sites in 15 to 20 minutes. It was unreal, how Cato just worked where every other system we tried took a lot of configuring and tinkering behind the scenes to get everything to flow right. Cato was just head and shoulders above everyone else.” Cato: It’s the Difference Between Night and Day Deploying Cato to the seven other sites took place over the holidays. “The hardest part was an MPLS network we deployed from our previous vendor for low-latency applications. But getting the MPLS network up, running and working with everything else, including Cato, was the biggest part of the transition.” Cato connects all enterprise network resources--including branch locations, mobile users, and physical and cloud datacenters--into a single secure, global, cloud-native network service. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of robust security services to protect all traffic. AmesburyTruth continued to connect internal locations with MPLS, but any external traffic, including cloud and mobile, ran over Cato’s global private backbone, which interconnects across multiple tier-1 network providers via more than 50 points of presence (PoPs). Cato monitors network traffic and selects the optimum path for each packet across the Cato backbone. Mobile users run across the same backbone, so remote access performance is excellent. Since the transition, the new network has been running much more smoothly. “All the previous network performance and application issues are gone,” says Bayer. “No more dropped packets. No more meeting interruptions. No more rebooting. Cato has been rock-solid.” Visibility has improved dramatically. “With Cato we see in no uncertain terms that this traffic was blocked by that firewall rule,” says Bayer. “It’s like night and day. And now that so many people are working at home because of COVID-19, we’re really grateful to have that extra layer of security and visibility that Cato offers.” “We couldn’t be happier,” says Bayer. “Cato is one of those things we wish we had done a long time ago.”

RingCentral Moves Internal Network to Cato’s SASE Platform Organizations face new challenges as they become digital enterprises. IT must become agile to adapt to constantly changing business requirements. Yet operations must stay lean even as they deliver excellent user experiences everywhere. These challenges confound many IT organizations and are precisely the ones Carlo Curato and his team at RingCentral have addressed for several years. Cloud First, Cloud Native Reduces Time Spent on Mundane Management Tasks Named a Magic Quadrant leader by Gartner in the Unified Communications as a Service category, RingCentral is no stranger to digital transformation technologies such as mobility and the cloud. Curato considers both keys to RingCentral’s own continual transformation. “We’re a big proponent of cloud solutions and work from anywhere,” says Curato. “We’re our first and best customer and use our platform heavily.” RingCentral follows a cloud-first, work anywhere strategy for most other internal solutions as well. “We feel strongly that to stay agile, IT should focus on core capabilities and delivering to the customer and move non-core IT portfolio items to the cloud,” says Curato. “We feel strongly that to stay agile, IT should focus on core capabilities and delivering to the customer and move non-core IT portfolio items to the cloud.” — Carlo Curato, Director of IT Infrastructure, RingCentral For Curato, cloud doesn’t mean spinning up a bunch of virtual servers in a cloud infrastructure. It means a complete, cloud-native solution managed fully by the provider, not your IT department. “The idea is that all the bells and whistles are managed and supported 24/7 by the cloud service,” says Curato, so the enterprise doesn’t have to spend time and resources on mundane management tasks. “Functions like failover and patching take many hours off of IT time that could be spent on core competency functions that improve the business.” Cloud-native also means solutions that scale automatically to support demand and are managed and delivered on a global scale. “It gives us the ability to scale quickly to support the company as it grows or shrinks,” he says And cloud-native means easy integration. “Anything we can tap into with a REST API is huge,” says Curato. “You no longer need to be masters of CLI. Instead, your DevOps team can modify or support the business using API’s and services that integrate, orchestrate and automate functions easily.” RingCentral’s Purchase Criteria: SD-WAN and Cloud Native RingCentral applied its cloud native, integrated, work-from-anywhere strategy to its search for an SD-WAN solution. “We’re growing fast, building offices, expanding, moving floors, moving people from floor to floor, moving servers from one area to another,” says Curato. “We want simplicity of deployment so we can get things up and running fast. We don’t want to spend a lot of time configuring, reconfiguring, and managing an SD-WAN solution. And with current travel restrictions, we need to take configuration out of the hands of the location or person holding the device.” That means pre-provisioning in the cloud. “The provider should be able to deliver the solution pre-provisioned in such a way that anyone at a home office, branch office or headquarters can just plug it into the Internet service and watch it light up.” Automation applies to SD-WAN security functions as well. “When you start managing your own firewalls, you expose a management interface to the Internet, where it becomes vulnerable to scans, hackers, and DDOS attacks,” says Curato. “If there’s a vulnerability that can be exploited, you have lots of hackers out there looking to exploit it.” We wanted a solution that doesn’t expose the interface but just talks directly to the cloud for security and management.” Cato Delivers A True Cloud-Native SASE Platform It was those requirements that led Curato and RingCentral to Cato. “We told a partner of our wish list and he introduced us to Cato.” Curato liked the way the Cato edge devices were pre-provisioned just like a RingCentral desk phone. “With Cato, it takes longer to order your Internet circuit from the provider than to get the Cato Socket up and running for the first time,” says Curato. “With Cato, it takes longer to order your Internet circuit from the provider than to get the Cato Socket up and running.” — Carlo Curato, Director of IT Infrastructure, RingCentral Cato’s management was also a big plus. “I don’t want to be in the business of figuring out where to put my firewall management software,” says Curato. “What happens if you need more firewalls? You need to buy more licenses. It’s a scaling nightmare. Cato has a single pane of glass with centralized management, security and seamless scalability.” Centralized, integrated management also makes it easier for Curato to address WAN performance and other issues. “A central repository lets you resolve issues quickly, so you not only deploy faster, you solve problems faster too.” [caption id="attachment_11262" align="aligncenter" width="1920"] With Cato, RingCentral gained a single pane-of-glass, into its network, security, and access infrastructure.[/caption] Cato Enabled A Quick COVID-19 Ramp Up RingCentral’s cloud-native strategy and Cato’s integrated mobility and easy scalability were lifesavers as the COVID-19 crisis unfolded. “With a traditional VPN solution, we would have had to figure out how to scale an environment architected for only a small portion of the workforce working at home at any time. With Cato, everyone can work at home right away. I don’t have to think about bandwidth and IP ranges. They’re all there, managed by Cato.” “With Cato, everyone can work at home right away. I don’t have to think about bandwidth and IP ranges. They’re all there, managed by Cato.” — Carlo Curato, Director of IT Infrastructure, RingCentral Cato’s cloud-based security functions made it particularly easy for the development team, which has the most robust security requirements, to work from home. “Without Cato we probably would have had to send each team member a small firewall and configure and manage all of them. With Cato we just sent a preconfigured socket device with all the firewall rules pre-provisioned.” [caption id="attachment_11261" align="aligncenter" width="1920"] With Cato, users IT can drill down to gain deep insight into remote users, seeing configuration information, performance metrics, and more.[/caption] Cloud first, cloud-native, work from anywhere: Those are Curato’s mantra for a smooth digital transformation. And that’s how Cato helps RingCentral deliver on digital transformation.

ASM SMT Boosts WAN Performance and Agility, Cuts Costs with Cato The Challenge: A Fast, Agile Global Network Global suppliers need fast, agile networks to keep business processes moving among manufacturing plants, warehouses, customers and partners. As a leading supplier of Surface Mount Technology solutions for computer chip and circuit board manufacturers, ASM SMT is no exception. With offices spread globally from the west coast of the USA to the east coast of China, their globally spread SMT segment, found achieving such a goal a tall order. Before Cato, ASM SMT’s offices connected over a global meshed VPN topology overlaid on top of MPLS. Local Internet breakouts added Web filtering and WAN optimization hardware. Mobile users connected to firewalls at core regional locations for remote access. “The solution worked okay, but it was very expensive and took a long time to provision,” says Ian Bleazard, ASM SMT IT Director of Infrastructure and Analytics. “We operate in China and Vietnam, where you can be looking at a 180-day lead time for connectivity. Six months can have a substantial negative business impact.” With a typical office consisting of the usual stack of edge security products, firewalls, Web filters, etc. new site deployment was also dependent on multiple security vendors delivering on time, which, of course, often led to further delays, according to Bleazard. In many cases, each appliance had to be managed separately, so the configuration was a tedious and sizeable task at scale. Any changes to the regional firewalls had an impact on remote user connectivity. “With shared memory and CPU resources among firewall and remote access functions, the regional firewall appliances were often unfit for increasing demand,” says Bleazard. ASM SMT Investigates SD-WAN, Chooses Cato ASM SMT sought a simpler solution that would deliver business agility, security, and good performance at a lower total cost of ownership. “SD-WAN was intriguing to us, so we set out to research the technology and some vendors,” says Mr. Bleazard. “Three vendors made our shortlist, but it soon became clear that there was only one all-encompassing winner.” The winner was Cato. “Other vendors either lacked middle-mile backbone solutions, required backhauling of traffic between locations or couldn’t provide built-in WAN optimization and security functionality,” says Mr. Bleazard. A trusted local vendor introduced ASM SMT to Cato. “Immediately we had a good feeling. Cato had a promising solution that could solve a lot of our issues and they presented it to us in a very honest, upfront manner.” ASM SMT put together a proof of concept (POC) project with Cato for three business locations. “The idea was to throw some of the major issues we encountered with MPLS at the POC scenario. For example, we wanted to see how Cato would address speed issues with centralized Product Lifecycle Management software, SMB file copy , and videoconferencing performance over the WAN. During the POC, Cato improved performance more than 100 percent vs. MPLS." “It’s rare that you hear from users when things are going well, but, amazingly, during the POC we had users from all over the business thanking us and telling us how much it was improving their daily business productivity,” says Bleazard, “The productivity of those on the POC significantly increased and more importantly it removed some of their daily frustrations.” Cato Delivers Agility and Performance at a Lower Cost than MPLS Convinced, ASM SMT proceeded with Cato deployment across the other locations. “Our MPLS contract had eight months left, so we could roll out Cato gradually,” says Mr. Bleazard. “Cato’s use of BGP made the rollout seamless, with dynamic routes published automatically as soon as a site came online. We were able to switch over with almost no outage, which is key, as any outage can cause issues with production and other key business functions.”. The savings and performance grew as MPLS contracts expired and ASM SMT transitioned to Cato. “Cato’s pricing structure allowed a higher bandwidth among sites vs. MPLS and its packet loss mitigation feature helped a lot with VoIP and video packets reaching their destination without a break in communication.” He was also very pleased with Cato support. “Cato usually answered our emails within 10 minutes, and we were able to get someone on the phone quickly when something was important,” says Bleazard. “The general feeling was that support was there when we needed it.” ASM SMT has since begun rollout of the Cato VPN client as a replacement for the internal VPN gateways, a process that accelerated as the Covid-19 pandemic sent workers home, first in China and then everywhere else. “Generally, you don’t transition technology during a crisis, but we felt we had to move a few hundred users--mostly the ones that use a lot of bandwidth--onto the Cato network for VPN and it worked out really well,” says Bleazard. “The VPN provides straight access to the Cato backbone and the services they need, rather than backhauling everything to the local office. They really like it and find it easy to use--and that’s rare. Having one console for everything makes the whole management process much simpler as well, and very much helped us stay on top of these unique circumstances.” Overall Bleazard is very pleased with the Cato experience and plans to expand remote access using Cato and deployment to future locations. He adds, “The past eight weeks is one of the few times I’ve ever received emails from users saying thank you.” With Cato, ASM got the security and network performance they needed, converged into the one seamless solution for all sites, cloud resources, and mobile uses.

Guardian Credit Union Improves Network Control & Security with Cato Cloud applications demand greater network visibility, without compromising security or increasing complexity Guardian Credit Union is a regional business that faced big network challenges. The credit union needed better visibility and application control, without compromising security or making the network so complicated it would require a team of wizards to operate. Like many companies, Guardian had relied on a mix of point-to-point, layer-2 connections to connect sites. The MPLS and Metro Ethernet network was configured in a hub-and-spoke, backhauling requests to Guardian’s central datacenter to access applications, data, and from there through a secured Internet portal. In short, it was the kind of complex configuration typica of legacy enterprise networks. “I have experience in complex environments so it's not hard for me to get it and support it, but I have other things to do too and so does our team,” says Scott Rosen, vice president of technology for Guardian. “I have experience in complex environments so it's not hard for me to get it and support it, but I have other things to do too and so does our team” Managing a complex network requires lots of training, which Rosen wanted to avoid as a requirement for Guardian’s IT operations team. “It takes a ton of time and expertise. You don’t just go out and take a couple of courses in how the network works in a complex environment,” says Rosen. “So for us, moving to SD-WAN wasn’t necessarily about reducing costs, even though that was something that happened, but it was more about visibility of the network. We wanted to reduce the complexity of the network but maintain its protection and resilience.” One reason improving visibility was particularly important for Rosen and his team was because of the struggles voice and cloud applications had across private networks like Guardian’s. The company was increasingly looking to adopt video conferencing, Microsoft 365, and other applications so providing quality of service (QoS) at the edge was very important. SD-WAN Requires Security to Replacing MPLS SD-WAN provided a way to simplify the network but that meant adopting Internet everywhere. The inherent risks were obvious. “Now that we're getting away from private connections, we risk exposing ourselves by providing Internet connections now at all locations. So that was something to weigh. How could we mitigate that risk? “ It meant that security had to be part of his SD-WAN assessment. The notion that traffic across the WAN can be trusted, a common belief in legacy network design, had to be upturned. “If you trust the traffic between a branch and a datacenter, you’re increasing your risk. If there’s a piece of malware in the branch, which thankfully we never had, the malware could propagate across the network. You must inspect the traffic.” And that inspection must be based in the network. “You can use endpoint control in the computers but that doesn't fix IoT or devices that might have different operating systems than the ones you control. You really need to have inspection and control in the network.” Rosen Considers SD-WAN Solutions but Finds Security, Management Lacking Rosen investigated conventional SD-WAN solutions, but none of those alternatives prioritized security. “We led with ‘security first’ in our assessment, but conventional SD-WAN solutions sold security as an add-on or required a separate security solution.” “We led with ‘security first’ in our assessment, but conventional SD-WAN solutions sold security as an add-on or required a separate security solution." Also, conventional SD-WAN solutions required going through a telecom provider or ISP, who would manage the solution for Guardian. The credit union was already dissatisfied with telco support and did not want to give telcos more responsibility. “It’s hard enough to get them to fix the services they were already providing,” Rosen says. “You already experience problems and now they want to sell you a complete turnkey management solution where they manage your entire network.” [caption id="attachment_8224" align="aligncenter" width="1237"] Cato’s SASE architecture allowed Guardian to prioritize traffic to ensure VoIP and other applications received the necessary bandwidth[/caption] Rosen Turns to Cato’s SASE Platform for SD-WAN – And More Cato provided Guardian with the enhanced security, application control, and operational simplicity the credit union required. Cato allowed Guardian to achieve needed security without layering on firewalls and other security service, which would have increased network complexity. “Security wasn’t just part of Cato’s technical solution. It’s in Cato’s roots. Your CEO and founder came from that world,” says Rosen. Cato also proved easy to understand, improving the productivity of the Guardian IT team. The IT team could troubleshoot problems quickly without requiring a great deal of networking expertise. “Anybody on our team now can go in and understand where traffic is flowing and how it’s working,” Rosen says. “Security wasn’t just part of Cato’s technical solution. It’s in Cato’s roots. Their CEO and founder came from that world." And the transition to Cato prepared Guardian for the Covid-19 pandemic. “Who knew that the steps we took months and months ago to improve our network would prepare use for Covid-19,” says Rosen. “But moving to Cato was instrumental in us being able to be elastic and more dynamic in helping us respond to not just the shift to remote workers. Not only could Cato support our remote workers, but we didn’t need to bring cloud and Internet traffic back to our datacenter and consuming our resources. We could keep that traffic where it belonged in the cloud. “ [caption id="attachment_10685" align="aligncenter" width="1291"] With Cato, Guardian gained network visibility into its complete network and security infrastructure.[/caption] Cato Support Proves to be ‘Nimble’ and Responsive Overall, Rosen is extremely impressed by Cato’s commitment to customer service. Rosen notes that one night he called Cato after 9 pm and Cato offered to do a remote support session despite the lateness of the hour. Guardian was at that time doing a proof-of-concept (PoC) with Cato — though Cato didn’t know that until later — and Cato’s above-and-beyond commitment to support helped Guardian decide to give Cato its business. Cato has also proven responsive to enhancement suggestions. “Cato is nimble. When I need something fixed or have a product enhancement, Cato listens,” says Rosen. “Cato is nimble. When I need something fixed or have a product enhancement, Cato listens." And Guardian and Cato both share a common corporate culture, of putting the customer first. “Honestly, I’d love to tell you it was all about the product, but your people, too, are a differentiator.”  

Brake Masters Puts the Brakes on Outages Across 71 Sites with Cato Outages Keep Business in Second Gear Network connectivity is essential to any retail operation. Unreliable, slow network access can translate into lost revenue through credit card processing delays and lower customer satisfaction as guest Wi-Fi grinds to a halt. Just ask Steve Waibel. The director of IT for Brake Masters, a leading auto-repair chain spanning 71 sites across the United States, had been struggling with his legacy MPLS service. The MPLS network connected Brake Masters’ 71 stores with T1 lines, carrying Point of Scale (PoS) system for credit card processing and the guest Wi-Fi for customers to pass the time while waiting to get their cars repaired back to the Brake Masters datacenter in Tucson, Arizona. But Waibel found that the MPLS to be "just plain unreliable" and slow, he says. "We faced weekly outages in one store or another," he says. The network was also unable to deliver a decent guest Wi-Fi experience. The free Wi-Fi from Brake Masters was often limited to just 500 Kbits/s, far too slow for YouTube or to do much more than basic Web browsing. "We got quite a few complaints about that," Waibel says. And MPLS proved to be a drag on Brake Masters' schedule for opening new stores. When a new store was ready to open, they were often waiting on connectivity. "We had an ongoing issue with provisioning MPLS," Waibel says. Cato Gets Brake Masters Cruising Waibel knew he needed to fix his network and began researching SD-WAN vendors. "All totaled, we probably evaluated 10 to 12 SD-WAN vendors," he says. But alternative SD-WAN solutions proved to be too expensive and complicated, requiring Brake Masters to maintain firewall appliances at every location. They also relied on the public Internet, which Waibel thought were going to be too unreliable and unpredictable for Brake Masters. With Cato, Waibel found a solution that met his needs. Cato is the first implementation of Gartner's secure access service edge (SASE) architecture and converges security and networking into a global, cloud-native platform. Sites, mobile users, and cloud-resources – all connect to the nearest PoP of Cato's global private backbone, a geographically distributed, SLA-backed network of 50+ PoPs, interconnected by multiple tier-1 carriers. The backbone's cloud-native software provides global routing optimization, self-healing capabilities, WAN optimization for maximum end-to-end throughput, and full encryption. In the end, Waibel chose to deploy Cato across all 71 locations, configuring sites with a Cato Socket, Cato's SD-WAN device, and dual last-mile Internet connections, typically cable and fixed wireless. "Currently, we've connected 55 locations and moving forward with converting the rest," he says. Brake Masters Deploy Sites Quickly and Improves Performance Waibel says Cato meets all the needs for retail locations, including easy management, deployment, and getting notifications of potential network problems before they're a big deal. "All that makes it very easy to run your retail establishments," Waibel says. More specifically, opening new stores with Cato has been much faster and easier than with MPLS. "We order lines, and they're always in well before the store is done," Waibel says. "Since we moved to Cato, our bandwidth increased by approximately 30 times the speed we had before. Now, the customer's Wi-Fi experience is much better. We’ve stopped receiving complaints since deploying Cato" With Cato, he also vastly improved his customer Wi-Fi experience. "Since we moved to Cato, our bandwidth increased by approximately 30 times the speed we had before," Waibel says. "Now, the customer's Wi-Fi experience is much better. We’ve stopped receiving complaints since deploying Cato," Waibel says. The changes in the last mile infrastructure also meant better uptime. "None of our sites have lost complete connectivity since deploying Cato," he says, "Sure, there are disruptions in the last mile, but the Cato Socket just moves the traffic over the secondary connection. The users never know the difference," Waibel says. The portal makes it easy to set up a new site, manage a site, and manage firewall rules. "The management portal is well designed. It's my favorite feature, "he says, "All the information you need to manage the network is right there." A case in point is his security infrastructure. Instead of deploying branch security appliances, Waibel relies on Cato security services – NGFW, anti-malware, and Cato IPS. He administers his security rules centrally in the Cato management portal, automatically applying them to the stores everywhere – all without deploying additional security appliances. And when there are problems, Waibel has been able to resolve disruptions far faster with Cato. "We get a view of every single store, and we can tell if there's a problem at any store," Waibel says. "Every day, we know exactly what's going on, and we can address any issues that might be there." [caption id="attachment_10519" align="aligncenter" width="1118"] Brake Masters has been able to replace MPLS with Cato, connecting and securing all business locations[/caption] New Network. Great Experience. Instead of stores calling in with problems, Cato automatically notifies Waibel of connectivity issues. "Often, we're already on top of things when the store becomes aware of the issue," he says. "With Cato, we've become very proactive." "Compared to what we used for six years with MPLS, it's like night and day. And I would never go back." "I would recommend Cato to other companies considering moving to SD-WAN," says Waibel. "Opening new stores now goes smoothly, pricing is affordable, the cloud firewall and private backbone provide a great experience, and services are easy to set up," he says.  

Geosyntec Connects 60+ Locations, Improves VoIP and Remote Access Punch with Cato Cloud How to Deploy Skype for Business Without MPLS Collaboration is essential to most enterprises, but the voice and video collaboration are too sensitive to route over the Internet and scaling up an MPLS can be very costly. What can IT leaders do without increasing their networking costs? That was the challenge facing Edo Nakdimon, senior IT manager at Geosyntec Consultants The environmental consulting service had relied on MPLS service to connect 67 offices across North America with T1 (1.544 Mbits/s) connections. Geosyntec initially ran voice over MPLS using Cisco CallManager in its datacenter. Routers at the branch offices provided local breakout sending voice traffic across the MPLS circuit and the rest of the traffic across the Internet. “Enabling voice, video chatting and other collaboration services over a single T1 lines it’s like trying to push an elephant through a pinhole" “Enabling voice, video chatting and other collaboration services over a single T1 lines it’s like trying to push an elephant through a pinhole," says Nakdimon, “ For optimal experience, we knew we had to either scale up our existing solution or rearchitect our Wide Area Network environment. Without the proper network design traffic such as voice and video will suffer.” Collaboration, though, wasn't the only application that concerned him. The company's consultants rely on Geographic Information System (GIS) software and CAD for their work. The GIS project files were stored on servers in the respective Geosyntec offices. However, the consultants often had to open files in remote offices, pulling the large files across the DMVPN connections. "If there's any latency, if there's any lag, we're going to hear about it," says Nakdimon. He decided to migrate to Skype for Business and replace the MPLS service with a network architecture that could address all of his application needs. Cato Meets Geosyntec’s 'Ever Evolving' Needs Nakdimon initially investigated traditional SD-WAN offerings but was skeptical of vendor claims that they could maintain quality of service (QoS) across the Internet. "I don't care what any SD-WAN provider will tell me; I don't care what any network engineer will tell me. They can’t guarantee markings will pass over the public Internet across multiple internet service providers," he says. "Once traffic leaves the endpoint, it's beyond the vendor's control. This is just the way it works." Cato distinguished itself because its SD-WAN devices connect to Cato's global, private backbone. And with more than 50 points of presence (PoPs) across the globe, Cato as located near Geosyntec's strategic locations. These factors ensured Cato could provide the QoS Geosyntec requires. "I looked and saw that Cato's SD-WAN devices were connecting to its private network and thought that was 'perfect.' It's exactly what I wanted," he says. Nakdimon conducted a PoC, and "everything worked great," he says. There was no comparison between MPLS's T1 connection and the 25 Mbits/s connections he used with Cato. Since then, he's rolled out Cato across all of his North American locations, replacing MPLS with Cato's Secure Access Service Edge (SASE) platform. As an early Cato adopter, Geosyntec experienced some "growing pains," he said. He points to problems with firmware upgrades to the Cato Socket, Cato's SD-WAN device, as an example, which needed to be addressed. "I generally found Cato support to be quick and responsive," he says. "Once that was done, we have so far no complaints. If you have complaints, typically it was not on the network side. We've been very happy so far," Nakdimon says. "Day-by-day needs and requirements are changing, and at Geosyntec, we need to constantly research options to meet those ongoing changes and requirements. Cato provides us with a platform for delivering the networking and security capabilities that help our users increase their productivity while allowing our network engineers to concentrate on other projects by reducing the management time and overhead." Gradually Nakdimon has expanded beyond MPLS replacement, activating other Cato capabilities, such as Cato security services, to protect branch offices. "Networking is ever-evolving," says Nakdimon. "Day-by-day needs and requirements are changing, and at Geosyntec, we need to constantly research options to meet those ongoing changes and requirements. Cato provides us with a platform for delivering the networking and security capabilities that help our users increase their productivity while allowing our network engineers to concentrate on other projects by reducing the management time and overhead." Cato SDP Solves Global Geosyntec’s Remote Access Challenge Remote access has been another service Nakdimon activated for his users. Like many enterprises, Geosyntec faced the challenges of widespread remote access posed by the COVID-19 pandemic. And while Nakdimon had already planned to deploy Cato SDP (Software Defined Perimeter), Cato's remote access solution, before the pandemic. "Corona was just an added reason for me to roll it out," Nakdimon says. "We utilize a few different VPN technologies. With the COVID-19 pandemic on the rise, many of our users began to work remotely. Our VPN traffic spiked, in some cases, hitting the limits of our VPN servers" Nakdimon accelerated his Cato remote access adoption in part because of the scalability issues of his VPN servers. "We utilize a few different VPN technologies. With the COVID-19 pandemic on the rise, many of our users began to work remotely. Our VPN traffic spiked, in some cases, hitting the limits of our VPN servers," Nakdimon says. Not only was scaling VPN servers a problem, but so was performance. Users initially connected to a VPN server in a Geosyntec location but continued to send data through those offices even when accessing data in a different location, introducing latency and bottleneck issues. Instead, he deployed client-based Cato SDP, equipping remote users with more than 1200 users with Cato's Mobile Client. "Deployment was quick. In a matter of 30 minutes, we configured the Cato mobile solution with single-sign-on (SSO) based on our Azure AD," he says. "We found that we could reduce network overhead and eliminate bottlenecks for remote users. By connecting them directly to Cato, we eliminated unnecessary hops across the public Internet core." By running the Cato Mobile Client, users are automatically connected to the nearest Cato PoP, bringing them the full benefits of Cato's security services and network optimization. "Cato SDP extends the QoS and network policies in our SD-WAN, to our remote users," he says, "We found that we could reduce network overhead and eliminate bottlenecks for remote users. By connecting them directly to Cato, we eliminated unnecessary hops across the public Internet core." In addition, Nakdimon was able to deliver additional security to remote users. "The easily deployed [single sign-on] and web filtering integration provided us additional layers of security for our remote users," says Nakdimon. "The Cato remote access solution is simple to deploy, yet robust. It improved our employees' ability to securely and productively work remotely." [caption id="attachment_10357" align="aligncenter" width="1920"] With Cato, Geosyntec connected 67 sites and more than 1200 remote users (only 101 are currently shown) onto the same network all managed through the same console.[/caption] Geosyntec Looks Ahead with Cato Looking ahead, Nakdimon hopes to replace its branch firewalls and routers with Cato security services. Overall, Geosyntec credits Cato solutions with streamlining WAN connectivity, remote access, augmenting security, and providing a high degree of user satisfaction, Nakdimon says. "My team and I received many emails from employees saying this is the best experience they have had out of all the VPN clients," Nakdimon says. "They email me. They're thrilled. And if users are happy, management is happy."

Healthcare Provider Complete Care Gains Control Over Its Network and Costs with Cato The Challenge: Eliminate the Growing Pains of an Ad Hoc Network by Deploying a More Secure, More Reliable Network Like many companies, Complete Care Community Health Center (CCCHC) faced the complex mix of technologies often encountered when going through a merger and acquisition (M&A). The healthcare group devoted to serving Los Angeles had been adding clinics and services over the past decade. Those new facilities brought their own technologies leaving CCCHC with a hodge-podge of network technologies, firewalls, and voice systems. The clinics were connected by Internet-based VPN across a mix of DSL, T1, and fiber lines. Without a consistent network platform, availability was an issue. There were no SLAs with the multiple carriers and little redundancy built into the network. Bandwidth costs were also an issue. Some sites had dual circuits because they needed the bandwidth. One site had to connect to the network via LTE, and this service alone cost $2,000 a month. A less expensive DSL line was installed for backup but sat idle much of the time. Each new clinic also brought its own basic firewall, leading to a mix of legacy products and no standardization among them. This made it hard to configure and enforce consistent policies to ensure that patient data was secure and HIPAA compliance requirements would be met. It also meant that CCCHC lost network-wide visibility having to probe each firewall to piece together an overall understanding of the network. The network’s instability impacted company operations. Voice services at each clinic were provided through local key systems and telephone lines. As a result, forwarding calls to a centralized call center became difficult and unreliable. Better voice solutions certainly existed but CCCHC’s network meant the company couldn’t take advantage of them. Accessing the company’s NextGen Healthcare practice management software also became a problem. More than 150 employees across the clinics relied on this SaaS application, all accessed from across the VPN. But the setup and maintenance of the VPNs took too much time. “Having separate firewalls and separate VPN configurations was very cumbersome and messy,”   “Having separate firewalls and separate VPN configurations was very cumbersome and messy,” says Eric Norberg, CTO at CCCHC. “Cato streamlined all of this through their Private Network and their simple consolidated portal for management.” CCCHC also struggled with a lack of internal, skilled IT resources. Because of the disparate systems, the costs to support it all were skyrocketing, especially on the voice systems and Internet usage. The IT team had limited capacity to integrate the complex network and negotiate favorable telecom contracts. Koi Consulting Group Recommended Cato to Both Unify and Simplify Networking and Security CCCHC brought in the Koi Consulting Group, a technology strategy group to implement a managed infrastructure. Mark Manuel, Founder and Technology Architect at Koi Consulting, says that CCCHC was hindered by its make-shift network and the lack of visibility and governance of its systems. "Things were spiraling out of control and the systems just didn’t work together.” “The company was experiencing extreme growing pains with its IT systems,” says Manuel. “Their understanding of their network and the cost of operating it were the biggest factors. Things were spiraling out of control and the systems just didn’t work together.” Rebuilding the on-premise network would require replacing a lot of existing circuits and equipment, which would be cost prohibitive. Koi Consulting recommended redesigning the company’s network and delivery of critical IT services based on Cato’s cloud-based network. “We like Cato’s concept of all-in-one network and security, especially the next generation firewalls,” “We like Cato’s concept of all-in-one network and security, especially the next generation firewalls,” says Manuel. “It allows us to take a holistic approach to providing CCCHC everything they need right now, all managed through one portal. It just makes sense. Later, we can add additional services like managed threat detection and response, and advanced virus protection as needed.” Cato Brings Network Management, Costs Under Control Koi Consulting rolled out the Cato network at the healthcare clinics quickly. The only hiccup came when they had to wait for the local carrier to upgrade some of the communication lines. “We added second circuits for some of the sites, did some IP adds and designed a VLAN for the voice services,” says Norberg. “Overall, it’s been a very smooth deployment.” Now, instead of VPNs between the firewalls at all of the clinics, the clinics simply run a Cato Socket and send all traffic, including the traffic for the practice management SaaS application, across an encrypted tunnel to the nearest Cato point of presence (PoP) for security inspection and then forwarding along the optimum path to the destination. The security inspection is carried out by the Cato PoP software, which includes a suite of enterprise-grade security services including next-gen firewall/VPN, Secure Web Gateway, Advanced Threat Prevention, Cloud and Mobile Access Protection, and a Managed Threat Detection and Response (MDR) service. All are updated and maintained by Cato, giving CCCHS an always current security infrastructure – a fact that is especially important for the HIPAA-regulated, healthcare industry. “We had a file sharing application that was just killing our network because it was always on. Now we’ve set the application to use bandwidth when the network isn’t busy. That alone has made a huge difference.” And with one network connecting all offices, CCCHC has gained a single pane of glass for their network. The instant visibility was a “real eye-opener" that allowed CCCHC to shape the traffic and prioritize applications. “We had a file sharing application that was just killing our network because it was always on,” says Norberg, “Now we’ve set the application to use bandwidth when the network isn’t busy. That alone has made a huge difference.” The network improvements introduced by Cato has also meant CCCHC could improve its communication system. “With Cato providing the redundancy and security, we’ve been able to move to a completely hosted environment for voice,” says Norberg. “With Cato, we were able to offload the non-critical applications to the cheap DSL line and leave the LTE for the high priority applications. This bandwidth management dropped our cost from $2,000 to $300 a month, and we were able to control that ourselves.” The self-management aspect of the Cato network is important. “We can log in, make a couple of changes in the portal, and it’s done,” says Norberg. “Then we can test it and see it in real time. It’s just so easy.” Norberg cites the example of the clinic office that’s dependent on LTE for its communications. “With Cato, we were able to offload the non-critical applications to the cheap DSL line and leave the LTE for the high priority applications. This bandwidth management dropped our cost from $2,000 to $300 a month, and we were able to control that ourselves.” Other costs have come under control as well. By redesigning their network and going to an IP-based phone system, CCCHC has increased operational efficiency. The company is actually paying less for those services using Cato than they did before. Koi Finds Value in Delivering Cato as a Managed Service Koi Consulting will continue to manage the network for CCCHC. “Cato has made it easy for us to support CCCHC today as well as where they want to go,” says Manuel. “We have a lot of control over the network through the portal. We can layer on security and move forward quickly. It’s great for us as a managed services provider but at the same time it’s great for the customer because it’s something they want and need and now realize they can’t live without.” [caption id="attachment_10165" align="aligncenter" width="386"] CCCHC gets a snapshot of a site’s details directly from the Cato dashboard. Clicking on a site provides detailed link statistics, application metrics, and more.[/caption] Manuel adds that they could have chosen some other vendor to partner with, but Cato provides a strong network backbone and the connectors to everything the customer needs. “Cato provides so much control and ease of use in one solution. It gives a lot of visibility and governance over what they need to do and understand.” “Cato provides so much control and ease of use in one solution. It gives a lot of visibility and governance over what they need to do and understand.” As for Norberg, he’s excited to finally have a mature security strategy in place. “We are now a corporate entity with a security perimeter around the entire nine locations instead of a mom-and-pop clinic which we were before. Having the insight and control over all aspects of the network and security has changed the dynamic moving forward for good.”

Kyocera Senco Improves Availability, Continuity, and Manageability with Cato SASE Solution Continuity and availability have long been key attributes of enterprise WANs. But as companies turn to SD-WAN, achieving around the clock uptime and network availability is not always a given. Just ask Kyocera Senco. The Dutch-based specialist in fastening solutions had deployed its own SD-WAN solution.  “The performance was good, but we could not always guarantee the needed continuity. Downtime has a big impact on our business and after one time our systems were offline for half a day, we started looking for another solution,” says Peter Fluitsma, Managing Director of Kyocera Senco  The company turned to Cato and Videns IT Services, a leading network-independent service provider of managed SD-WAN solutions, for help. Cato’s revolutionary global secure access service edge (SASE) service converges SD-WAN and network security capabilities into a global, cloud-native platform.   Click here to read more about the Kyocera deployment and key lessons learned while deploying Cato.

Kemin Industries Replaces 60-Site Worldwide MPLS Network with the global managed SD-WAN services With the adoption of the cloud and frustrations with costs and headaches of the telco bundle, more and more global companies are turning to global secure access service edge (SASE) services as an alternative. Case in point is Kemin Industries. The ingredient manufacturer made the strategic decision to replace its 60-site MPLS network. “Before the expiration of our WAN contract in September 2018, we evaluated if we were still on the right track with MPLS in terms of price and technology,” says Nik Meeus, Worldwide IT Technical Manager at Kemin Industries. “Our provider had grown so big that the collaboration did not run as smooth as we would like in terms of administration, deployment, and support. Also, the cost of the lines was relatively high compared to the available bandwidth.” Another important factor was their fast-growing adoption of cloud solutions and applications such as Microsoft Office 365. “Most of our subsidiaries had only one single internet connection. This posed a risk in terms of application availability and continuity, so we wanted to have redundant connections to the cloud,” he says. The company turned to Videns IT Services, a leading network-independent service provider of managed SD-WAN solutions for help. The experts at Videns recommended Cato, the first SASE solution to converges SD-WAN and network security capabilities into a global, cloud-native platform. Read this case study to learn more about Kemin’s experience and lessons learned while deploying Cato and working with Videns

Leading EdTech Provider Replaces Global VPN and Optimizes Mobile Connectivity with Cato SD-WAN Firewall Appliances Complicate Site-to-Site Connectivity Mergers and acquisitions have a way of creating havoc for IT professionals. Take, for example, the experience of one educational technology (EdTech) company. Over the span of two years, this company, who asked not to be named, had acquired roughly eight companies, each with different networking standards. “It was a disaster," says the IT manager. “We had seven or eight different sets of standards in anything and everything in networking, including different models of firewalls.” At first, he tried replacing those firewalls with “top-of-the-line SD-WAN equipment” from a major networking vendor that “probably cost us over $30,000 a year for three sites,” he says. But performance proved to be a problem with the appliance. “I had a gigabit connection to the Internet, yet my sites would not connect more than 100 Mbits/s." He put in a secondary system, a leading firewall appliance. When he saw performance exceed 100 Mbits/s, he moved all of his services to the firewall. But establishing site-to-site VPNs from each branch office to the central firewall in Fulsom proved to be a short-term solution. Managing seven separate branch firewalls, even from one vendor, involved multiple full-time jobs. The company’s distributed management system “didn’t do a particularly good job,” says the IT manager. Site deployment was also complicated. “It didn’t let us see everything on a single-pane-of-glass,” he says, “You couldn't just do one thing, click on a link and get your site connected to another site. You still have to modify multiple links from multiple locations to establish a VPN.” Defining policies was also complicated. “If you get into the firewall rules between the sites you’re destined to have problems. The rules were continuously conflicting because of our naming structure. Three network engineers might call the same site slightly different names (such as “Seattle HQ” instead of “Seattle ”). And when you log-in next time, you only see one named instance, not an IP address. Instead of telling the system ‘I would like an RDP connection’ in a relatively English way and ‘don’t allow file transfers ‘you had to dig deep into every site and every port and make them match.” Activating processor-intensive features on firewalls can also impact performance. “Every time we enabled monitoring on our firewall, performance went to a tenth of the Internet speed. In the headquarters, we had a 1 Gbit/s link, but when we enabled logging, we couldn’t even reach 100 Mbits/s." As for mobile user performance, the IT manager says he regularly had to field user complaints about poor performance. “All across the world — India, Africa, and Southern America — our main connectivity point has been to the headquarters in California. So users in India trying to access websites in India had their traffic cross the globe twice — first to the headquarters in California and then back to India,” he explains, “The same is true in New York. A user from New York browsing the New York State University site, for example, must first send traffic to California only to cross the Internet back to New York.” The so-called “trombone” effect became a significant cause of Internet performance complaints. And direct Internet access from each office wasn’t an option; the headquarters' IP had been whitelisted for access to multiple departments, explains the IT manager. Traffic sent directly from branch offices would have been blocked. The EdTech company ended up pushing all Internet traffic through the headquarters' firewall, creating a pricey chokepoint. “With 300 or 400 additional users than what our system is designed for, I had to choose between increasing bandwidth from 1 Gbits/s to 10 Gbits/s and doubling our price or supporting fewer users.” Cato: The Global SD-WAN Service That Connects Sites, Mobile Users, and the Cloud Frustrated by his experience with Internet-based VPNs, the IT manager began looking for an alternative solution. Extending his VPLS implementation globally wasn’t an option. “The international connections are really expensive. They ask for an arm-and-a-leg — $50,000 a month. And the speeds that we require aren’t available. You can get 5 Mbits/s connection for couple thousand dollars, but we need 100 to 200 Mbits/s.” He decided to revisit SD-WAN with an eye towards ease-of-use and performance. “We wanted a usable system out-of-the-box that didn’t require us to send for a week-long training,” he says, “I wanted my CFO to be able to manage and see what's going on in the network. And I didn't want to tell him how to browse through the screens to see what's going on.” The IT manager says he spoke with “every single possible SD-WAN provider” before coming to Cato. He particularly liked Cato’s global network. “That [the global network] was huge for us. We didn't want to connect from our site to another site directly across the Internet. The public Internet is, well, the public Internet.” He considered another global SD-WAN backbone provider but rejected them for several reasons. “Number one was the client VPN. They wanted to connect the clients to each office separately, similar to our firewall connections. The approach didn't make sense to us. I don't want to connect my East Coast users to East Coast and West Coast users to West Coast firewalls.” What’s more, the provider required the EdTech company to purchase its last mile service. “Their system didn't seem to be fully compatible with what we needed to do,” he says, “They wanted to sell me the last-mile carriers, and I already have multiple new connectivity contracts signed.” Cato Adoption Simplifies Deployment and Improves Performance The company decided to deploy Cato, and today has connected 13 sites and more than 1,100 mobile users to its Cato instance. Site installation has become much easier. The ability to use a wide a range of last mile services has also given the IT manager greater deployment flexibility. “Instead of buying super-duper fiber connections, now I'm able to buy a coax cable from one provider and fiber from another, combine them, and still achieve tremendous and reliable speed. If either of them goes down, I'm not losing anything other than, maybe, a slowdown in connectivity.” [caption id="attachment_9235" align="alignnone" width="602"] With Cato, the EdTech company gained deep insight on their application usage and bandwidth consumption.[/caption] Users are seeing better cloud and Internet performance now that they no longer need to backhaul Internet traffic to California. Cato mobile client automatically sends a user’s traffic to the nearest Cato PoP, where Internet traffic is sent directly onto the public Internet. Cato has more than 40 PoPs worldwide. The EdutTech company’s network experience is also more consistent with Cato than with its Internet-based VPN. “When we're connecting to India or Canada, we can see traffic has a more stable connection with Cato,” he says. [caption id="attachment_9236" align="alignnone" width="974"] The EdTech company used Cato to connect its sites and mobile users together and to the cloud.[/caption] Case in point, SSL/TLS interception. “With firewall appliances, you install certificates from your firewall and only then you realize that when your user goes to another site, you again need to install another SSL certificate at that appliance,” he says, “With Cato, we were able to install a single certificate globally so we can do SSL decryption and re-encryption.” Cato: So Simple It’s “The Apple” of SD-WANs But most of all, the IT manager liked Cato’s ease-of-use. “Cato is the Apple of SD-WANs. You give an iPad to a one-year-old and watch him browse through the apps. That's what I see with Cato. As soon as my network engineer logged-into the management system, he was a master in 10 minutes.”

New Wave Group Quintuples Capacity, Boosts Flexibility with the Cato Cloud Prior to Cato, New Wave relied on MPLS to connect its European subsidiaries and one Far East location to its two corporate datacenters in Sweden and the Netherlands. Internet VPNs also connected locations to one another. For security, the company relied on centralized security appliances, so just about all traffic had to be backhauled through New Wave’s two datacenter locations. The Challenge: A Global Network with Capacity and Flexibility to Support Continuous Growth Like many organizations, New Wave struggled to afford global WAN connections with enough bandwidth to support its rapidly growing operations. “MPLS is really expensive,” says David Brouwers, New Wave Group IT Infrastructure Manager, “Even though we boosted MPLS bandwidth over time from 2 Mbps to 10 Mbps and even 50 Mbps, it always felt as if we couldn’t afford the bandwidth we really needed.” “MPLS is really expensive. It always felt as if we couldn’t afford the bandwidth we really needed.” Beginning in 1990, the company started launching and acquiring new brands across Europe at a rapid pace. The company expects to continue doing so in the coming years. With such fast growth, network flexibility and quick ramp-up of new WAN connections became critical – a problem for MPLS. “With MPLS, it took up to six months to connect a new office or warehouse location,” said Brouwers. “That was simply unacceptable for a growing business like ours.” “With MPLS, it took up to six months to connect a new office or warehouse location. That was simply unacceptable for a growing business like ours.” Reliability was another thorny issue. “Even with a large telco and lots of backup lines, we found that our MPLS went down too often,” says Brouwers. “We tried switching MPLS providers, but the improvement was minimal.” And with MPLS’s limited bandwidth, applications underperformed with staff complaints running five or ten per week under MPLS, says Brouwers. Last mile provider options offered by the telcos were limited, and even though they were supposedly managing their providers, New Wave found performance and reliability lacking. “When there was an outage it could take up to two days to get up and running again,” says Brouwers. “Even with a large telco and lots of backup lines, we found that our MPLS went down too often. When there was an outage it could take up to two days to get up and running again”. New Wave’s centralized security architecture was also problematic, as it required backhauling all the traffic through the security solutions at its two datacenters, with the inevitable performance hit. New Wave Group Takes the Cato Plunge: Upping Bandwidth and Dropping Complaints New Wave considered SD-WAN alternatives to MPLS, including the Cato Cloud. “We talked with Cato for more than a year, but MPLS was the given with the long track record,” says Brouwers. After months of discussion and proof of concept with Cato, New Wave made the decision to go for it and started adding locations one by one to the Cato Cloud. “The difference was dramatic almost immediately,” says Brouwers. New Wave allotted the same budget to Cato that it had been targeting to MPLS and other external lines. The result? Tons more bandwidth. “We found we could multiply the bandwidth of each site by five or more with Cato without increasing cost,” says Brouwers, “10 Mbps went to 50, 20 went to 100.” The productivity impact was dramatic. “Staff complaints about business system performance have plummeted to two or three total in the past six months with the Cato Cloud. That’s more than 90% fewer service tickets and a lot fewer frustrated users,” says Brouwers. “We still have performance issues with our business systems but network performance has been ruled out as a factor.” Performance has been consistently good even as average file sizes have grown. “We’re working with much larger image files today, particularly in our textile firms,” says Brouwers. “In the past, if someone uploaded a huge catalog, network performance lagged, and everyone’s productivity was affected. Not anymore.” Connecting new locations now takes days or hours instead of months. Still, Brouwers recommends careful planning around the last mile. Local tail lead times can still negatively impact the deliveries. “The business is moving very fast. Now with Cato we can match that speed on the network side,” says Brouwers. "The business is moving very fast. Now with Cato we can match that speed on the network side" Reliability issues have also been reduced, especially along the last mile. “We’ve been considering last-mile management for a while, but we haven’t moved on it because, truthfully, with Cato we’ve had so few outages.” And with Cato, if New Wave doesn’t like a last-mile provider it can just switch, which wasn’t possible with MPLS. “We also have more backup solutions in place, so the impact of an outage with one provider is not nearly as great as it once was,” says Brouwers. Cato: The Future for New Wave Networking and Security While New Wave still takes advantage of the security solutions at its two datacenters, Cato has enabled it to begin to move away from security appliances, shifting anti-malware and IPS to Cato Cloud for several subsidiaries and branch offices -- resulting in performance and security improvement. [caption id="attachment_8853" align="alignnone" width="785"] New Wave Group network spans more than 50 locations across the globe all interconnected by Cato Cloud[/caption] New Wave plans to continue connecting new locations to the Cato Cloud and is considering adding Cato Managed Threat Detection and Response (MDR) to its security arsenal. Says Brouwers, “With Cato we increased bandwidth, improved support, and gained the flexibility to grow and experiment. The Cato Cloud just fits our business a lot better than MPLS.”

Aquila Connects 60+ Locations Across Australia with Cato’s Global Managed SD-WAN Internet VPN Becomes too Complex and Limited for Growing Company Like many retailers, Aquila needed to connect its many stores; an Internet-based VPN sounded like the right approach. It was available everywhere and didn’t pin the company to a carrier. And it was affordable, which made it well suited for connecting small retail outlets, some with only a single computer. But as the premium quality footwear manufacturer grew, Internet-based VPNs limitations became all too apparent. With 60 retail locations, warehouses, a headquarters, and applications running in Azure, Aquila’s VPN became incredibly complex. “With each new store, we had to manually establish VPN connections with every other location. At first, it wasn’t that big a deal, but with more sites, we ended up spending hours establishing the VPN. It just didn’t scale,” says Mike Zidaj, the IT Manager at Aquila. And since stores had to be manually connected, uptime was often compromised. If the local staff didn’t properly connect the VPN then IT had to manually log in every Sunday to force a connection to enable inventory logging at the site. “At any one time, approximately 30 percent of our offices were showing offline at the headquarters,” he says. “With each new store, we had to manually establish VPN connections with every other location. At first it wasn’t that big a deal, but with more sites, we ended up spending hours establishing the VPN. It just didn’t scale" What’s more with encrypted traffic (HTTPS) only growing, Zidaj was increasingly losing visibility into company’s Internet usage. The firewalls lacked the horsepower to decrypt the traffic. “We attempted to do URL filtering with our aging, end-point control software but it was hard to manage, lacked centralized reporting, and not all that effective. Users could easily get around it,” says Zidaj. As a result, security was at risk and visibility was limited. “We couldn’t tell if employees were watching YouTube or working. There was simply no easy way of enforcing security policies on Web traffic,” says Zidaj Zidaj Rejects MPLS and Turns to Cyber Risk and Cato For Help Zidaj began looking around for a solution not only for his connectivity and security challenges. He considered deploying an MPLS service: “A lot of retailers were using MPLS and local firewalls,” he says, “But the approach was too costly and would have locked us into the telco,” he says. Zidaj heard about Cato and turned to CyberRisk, a Cato partner, for assistance. “As a thought leader and trusted advisor in enterprise networking and security, we are excited to partner with Cato Networks in the ANZ region and see the value Cato delivers to our customers,” says Leong Wang, Director of CyberRisk. “Cato Networks is a leader in next-generation networks with integrated security services and is a huge differentiate from the aging global telco model.” Zidaj decided to take the plunge. He replaced his Internet-based VPN and end-point control software with Cato. Cato Cloud is the only managed SD-WAN service that connects and secures mobile users, the cloud, branch offices, and headquarters across Australia and the rest of the globe with the agility of the cloud. “As a thought leader and trusted advisor in enterprise networking and security, we are excited to partner with Cato Networks in the ANZ region and see the value Cato delivers to our customers” Zidaj leveraged Cato’s mobile security and optimization to connect small locations with just a Cato Mobile Client. Avoiding appliances at each retail location significantly simplified deployment. Without an appliance to install and maintain, deployment was quick and simple. What’s more, all too often retail locations set in malls can only gain Internet access through private IPs provided through the mall’s Internet provider. Unlike many SD-WAN solutions, the Cato Mobile Client, as well as Cato’s SD-WAN device, the Cato Socket, can operate behind a NAT. Zidaj equipped the computers at each retail store with Cato mobile clients. The mobile client sends all traffic across an encrypted tunnel automatically established to the nearest Cato point of presence (PoP). Cato Cloud currently covers all major Australian business centers from PoPs in Perth, Melbourne, and Sydney. His Azure instances were connected through Cato’s agentless integration into Cato Cloud. A few clicks on the Cato Management Console and an IPsec VPN connection was established from the Cato PoPs to Microsoft Azure. Cato collocates its PoPs in the same physical datacenters as the Internet Exchange Points (IXPs) of the leading cloud datacenter providers, such as AWS and Azure. “Deployment was good, and the setup was pretty simple and straightforward,” he says, “The Cato sales team, Cato Support, and CyberRisk helped a lot. It went well. We selected Cato, in part, because of its super quick and easy deployment.” When Zidaj is ready, he’ll also be able to connect larger locations with Cato Sockets. Cato Sockets connect load balance traffic across multiple circuits — MPLS or Internet (DSL, Cable, LTE and more) for maximum performance and uptime. Sockets correct for packet loss and dynamically route Internet and WAN traffic across the optimum last mile to the nearest Cato PoP. The PoP’s cloud-native software inspects all traffic, even SSL/TLS traffic, applying the necessary networking and security policies. Traffic is forwarded across Cato’s global network or onto the Internet. All Cato Sockets come with Affordable High Availability (HA) built-in for inexpensive redundancy. Deployment is Simple, Visibility and Control Improve Significantly Since deploying Cato, Zidaj has seen uptime improve significantly. “Our Cato dashboard now usually shows all locations connected and says users have noticed the more reliable access,” he says. Better network connectivity has directly impacted the business. “Now our inventory database stays current because with Cato our connectivity is so solid. If there’s a brownout or even a blackout on one line, Cato auto-connects by itself,” he says. “Now our inventory database stays current because with Cato our connectivity is so solid. If there’s a brownout or even a blackout on one line, Cato auto-connects by itself” And with Cato’s next-generation firewall (NGFW) inspecting all Internet and WAN traffic — encrypted and unencrypted — Zidaj is able to better secure his network. “The single pane management also gave us much improved control and visibility. Management is now able to see if shop staff are visiting Web sites that didn’t comply with our security policies — and take action.”

BioIVT Connects and Secures Global Network with Cato Cloud and the Cato Managed Threat Detection and Response (MDR) Service The Challenges Facing BioIVT: Adding New Locations, SaaS Application Performance and a Security Blueprint Like many fast-growing companies,  BioIVT, a provider of biological products to life sciences and pharmaceutical companies, depends on its network being agile and secure. Mergers and acquisitions (M&A)  are part of the company’s DNA, but fast integration of new company networks is challenging when running appliances. Protecting the network from Internet-borne threats was also important.  The BioIVT network was a 14-site, Internet VPN. It was an “old Cisco network,” says Andrew Thomson, director of IT systems and services, with each site running Cisco routers, interconnected by VPN tunnels.  “With every new site, we needed to build tunnels to every other location. Configuring those tunnels took time. We budgeted 90 days or so to get new locations up and running,” he says Application performance was also a problem. The company’s New York-based ERP system and Office 365 instance were accessed by the other locations. Accessing both applications meant traversing the Internet, which became a problem particularly for users working from home or overseas.  And then there was the security issue. “We knew we’d have to look at our security strategy. Penetration testing with our Cisco routers was going to be a step. But updating our security architecture was going to require running around to different vendors, piecing together a solution, and going through all of the deployment and management pains,” he says. Agility and Speed: Key Requirements for BioIVT’s Networking Solution   Thomson began looking around at various networking solutions for connecting his locations. Agility and speed of deployment  were critical if he was to integrate new offices faster. “SD-WAN made the most sense from an ease of use perspective,” he says.  He considered an SD-WAN appliance and a telco-managed SD-WAN service.  SD-WAN appliances meant he had to operate over the unpredictable Internet and both involved deploying even more infrastructure. Neither would have addressed his security issues.  Then he ran into Cato. “Cato did a lot of what we were after  — which is saying a lot,” he says, “Customer service and support was fantastic. Everyone was great to work with and rollout was very easy.” Instead of taking 90 days to configure tunnels and integrate each location, Thomson now is able to bring up new locations in as little as 30 days. “With Cato we just ship a configured device to the site. Personnel plug it in and we’re ready to go. There are no subnetting issues; no building individual tunnels. The Cato Socket connects to the Cato network itself. The whole operation is a lot less administrative and involves a lot less technique than the Cisco series routers.”  And with his locations connecting across the Cato Cloud Network not the public Internet core, performance has improved. Sage ERP has become more responsive; Active Directory synching works more effectively. As for Office 365, “It’s been fantastic,” he says, “really good speed benefit.” Thomson has been able to deploy voice and Unified Communications as a Service (UCaaS) from 8x8 across his Cato instance. “The voice quality over Cato has been awesome,” he says.  BioIVT Protects Sites With Cato MDR Today, BioIVT has all locations on Cato. But it’s not just networking provided by Cato that’s helped BioIVT; it’s also the security services. “When we found out that Cato not only delivered a global network but also offered built-in security services and now MDR, we were extremely excited. It was a huge help,” he says. Thomson secures Internet connectivity and site-to-site connections with Cato firewall, protects mobile users running the Cato mobile client with Cato’s secure web gateway (SWG) capabilities, and uses Cato IPS for preventing network-based threats. More recently, he’s activated Cato Managed Threat Detection and Response (MDR) to hunt for threats on his network.  “When we found out that Cato not only delivered a global network but also offered built-in security services and now MDR, we were extremely excited. It was a huge help” Cato MDR is a fully managed service that offloads the detection of compromised endpoints onto Cato’s security operations center (SOC) team.  The service uses machine learning algorithms to look for anomalies across the billions of flows in Cato’s data warehouse and correlates them with threat intelligence sources and complex heuristics. This process produces a small number of suspicious events that Cato security researchers analyze, only alerting BioIVT on actual threats. BioIVT is relieved from handling the flood of false-positives that suck precious IT resources.  “Cato MDR has already discovered several pieces of malware missed by our antivirus system,” says Thomson, “We removed them more quickly because of Cato. Now I need to know why the antivirus system missed them.” Remediation Without the Fuss  As part of Cato MDR, customers are notified immediately of verified live threats. Cato’s SOC advises on the risk’s threat level, recommended remediation, and follows up until the threat is eliminated “We’ve integrated Cato’s ticketing system with our own,” says Thomson, “so once the SOC discovers a threat the right IT resources are allocated.”  Cato also allows companies to automatically block C&C domains and IP addresses. Best of all? Cato MDR is built into BioIVT’s network. “Before Cato, we didn’t look at MDR. We just hadn’t gotten around to it because of the complexity. So having MDR built into the Cato platform has made all the difference in the world.” [caption id="attachment_7795" align="alignnone" width="939"] Cato MDR includes a monthly audit report of all incidents.[/caption]

Picanol Group Weaves Better Network Connections, Reduces Costs with Cato SD-WAN Picanol Group Was Looking for New Technologies to Address Networking Needs   With operations spread across the globe, Picanol Group experienced varying levels of network performance and reliability. With the MPLS contracts expiring, the company had the perfect opportunity to see if newer technologies could better support its current operations and future plans for cloud computing. Like many other enterprises, Picanol Group had a hub-and-spoke network connecting its global locations, with the hub being in Belgium. The company’s major sites in Belgium, China and Romania had MPLS circuits, and all other smaller branches used Internet-based VPNs to access the company network. Internet access for these smaller sites used a local breakout through a firewall. The firewalls also established point-to-point connections for the sites. The company set up a failover configuration using the Internet and the MPLS connections. If an MPLS circuit were to fail for some reason, the site could cut over to the broadband circuit and use VPN to stay connected to the network. Failover was critical to support Picanol’s business critical ERP and CRM applications in the event of an MPLS outage. Cost was one aspect of our interest in alternatives, but mostly we wanted to know if there were new technologies available to address our networking needs The WAN configuration was working for Picanol Group, but when the time came to renew the MPLS contracts, they opted to look at networking alternatives. “Cost was one aspect of our interest in alternatives, but mostly we wanted to know if there were new technologies available to address our networking needs,” says Bart Lagast, Senior Systems Engineer responsible for network, security and messaging. Lagast had been reading about SD-WAN and thought it could help solve some problems for Picanol and prepare the company for future needs. The cost of the three MPLS connections was already rather high and adding more circuits to improve performance in the local sites would be cost-prohibitive. In addition, the performance of the IP VPN in a China branch was troublesome, with the Chinese national firewall causing a lot of delay and packet loss. Connectivity in Indonesia was problematic as well. Regional differences with the telcos resulted in connectivity issues at various local sites. A POC with Cato Proved that Picanol Group Could Improve Performance While Lowering Costs Lagast selected two SD-WAN solutions for a proof of concept (POC) trial. “We investigated which SD-WAN vendors were the best for us in terms of the solution they provide, and we came up with two—one of which was Cato, of course.” One of the most important selection criteria was that the SD-WAN have a point-of-presence in the locations where Picanol is active, especially China and India. “The geographical spread of the POPs was critical for us,” says Lagast. Lagast did an estimate of the cost of the two SD-WAN solutions to cover all of Picanol’s sites and the pricing differential was quite stark. Cato’s solution was up to half the cost of the other vendor’s solution. “It was quite a substantial difference for essentially the same service,” says Lagast. The implementation was swift and we had very good support to set up the POC Picanol Group began a POC with Cato, doing a deployment in the three main sites with a VPN to the Cato POPs from Picanol firewalls. Using the existing firewalls made the POC process easy. Lagast says the engagement with Cato, from a technical and sales perspective, was a very good experience. “The implementation was swift and we had very good support to set up the POC.” The tests showed that despite costing so much less, Cato latency compared to MPLS and in fact was slightly better with a 10% to 20% reduction in delay in China and Romania. The additional bandwidth available with Internet connections meant that Picanol Group could worry less about maxing out a circuit’s capacity. Declaring the Cato POC a success, Lagast canceled his planned POC with the other SD-WAN vendor. He didn’t see the need since Cato’s solution worked well and the cost was so much less than the other solution. What Picanol Group likes most about Cato “I like the flexibility, for sure,” says Lagast. Cato offers so many different services, such as connecting local clients to the network and creating a connection among local sites. Lagast really appreciates the ease of making different connections through Cato’s network. He also finds the helpdesk and troubleshooting capabilities via the Cato console very helpful. “When there’s an overarching problem, the support we get from the helpdesk and the Cato engineers is very good. I would put Cato in the top 10% of experiences I have had with helpdesks.” Looking Towards the Future: Security, Mobility, and the Cloud The sites participating in the POC became phase 1 of the actual deployment with Cato appliances. Phase 2 will be ad hoc connectivity of Picanol’s other locations as they need the network’s functionality. To date, Picanol Group has focused on its connectivity needs and hasn’t yet explored all the security features the Cato Cloud provides. Lagast noticed that Cato sent an occasional security alert via the console - for example when someone accessed a suspicious website from the Cato network - but security through Cato features hasn’t been a priority yet.  Moreover, at this stage, Picanol Group opted to keep the local firewalls, since they are under contract for several more years. “I see the potential to remove those firewalls if we move our small sites to the Cato network in the future,” says Lagast. Picanol Group also needed a more flexible network to support its planned implementation of Microsoft Office 365 and other cloud applications.  To those ends, Picanol tested the Cato mobile VPN offering. “We don’t need it yet,” says Lagast, “but I see possibilities for it once we experience the need for better connectivity from the endpoint after we migrated to Office 365 We need better connectivity from the endpoint.”

ADB SAFEGATE Improves China Connectivity and SAP HANA Access with Videns and Cato Cloud WAN Transformation Challenged by SAP S/4 HANA Integration and China Connectivity Challenges Mergers and acquisitions always present IT challenges. Networks must be interconnected, server and software permissions updated. But M&As are even more challenging when applications are simultaneously being migrated to the cloud. How do you pull all of that off without increasing budget? Ask Lars Norling. We were striving to do more for the same, building a state-of-the-art communications platform but with the same bag of money that we used before. Several years ago, the director of IT operations at ADB SAFEGATE, a provider of airport efficiency and productivity solutions, found himself not only merging the networks of ADB and SAFEGATE but also looking to give his increasingly mobile workforce access to ERP and other key business applications in process of being migrated to the cloud. “We were striving to do more for the same, building a state-of-the-art communications platform but with the same bag of money that we used before,” says Norling. Neither ADB’s nor SAFEGATE’s corporate networks would serve the combined needs of the new organization. One WAN was too expensive, in part due to being outsourced to a telco. The other WAN was locally based making it extremely hard to maintain. “They had limited possibilities for any type of quality of service and/or high availability,” he says. Noring knew that MPLS could not meet his needs. “Our analysis clearly showed that the shift in the IT landscape, namely extended mobility and the move towards providing core services as cloud services, led us to look outside of the box, beyond traditional WAN architectures,” he says. But existing contracts prevented them from moving forward with their WAN transformation until 2018 ADB SAFEGATE’s SD-WAN Criteria Emphasizes Flexibility, Performance, and Strong Customer Support With contracts expiring, Norling began looking for a flexible SD-WAN that could meet global requirements. Half of ADB SAFEGATE’s users were seated at four main offices in Austria, Belgium, Sweden, and Columbus, Ohio. The other 50% were scattered around the globe. As such, “We needed local cost-effective Internet connections that we could upgrade individually,” says Norling. China connectivity was also important. “China has been a challenge for us as its been for everyone else. We have extremely expensive connections with limited bandwidth and functionality. Users grew frustrated, and, ultimately, led to unsanctioned localized solutions with separate public Internet connections and shadow networks,” he says. And whatever organization he chose to handle his SD-WAN, strong customer support was critical. “We need to work with reliable partners where we are customers and not just a customer number,” says Norling. ADB SAFEGATE Turns to Videns and Cato Norling considered and dismissed managed SD-WAN services from local telcos. “My feeling is that the telcos and their ISPs still have a journey themselves to understand what it means to be a solution provider and not just a product supplier,” he says. “We fear that we could get the same poorly managed services as we have seen before. I also think that they’re still, to some extent at least, ticket takers and not actually problem solvers. What we see nowadays is that everyone looking at SD-WAN looks at security. The two go together. Cato addresses both dimensions in one seamless solution. He turned to Videns for help. Videns had been providing ADB SAFEGATE networking services. “We were extremely pleased with Videns so they had a jump start in the discussion about our future needs,” he says. Videns selected Cato for the project. “Cato offers one, integrated solution with a global backbone including, security, and mobility. What we see nowadays is that everyone looking at SD-WAN looks at security. The two go together. Cato addresses both dimensions in one seamless solution,” says Joost van der Struijk, managing director for sales and marketing at Videns IT Services. Cato connects all enterprise resources — locations, cloud resources, and mobile users — to a common, optimized global backbone, which today is built from more than 45 PoPs across the globe. With all traffic on the Cato backbone, Cato applies a common security policy to protect all resources. Next-generation firewall (NGFW), secure web gateway (SWG), URL filtering, malware prevention — all are built into the Cato service. Cato MDR, a managed threat detection and response (MDR) service, offloads the resource-intensive and skill-dependent process of detecting compromised endpoints onto the Cato SOC. With POPs in Beijing, Dubai, and Melbourne Cato mapped well with ADB SAFEGATE’s requirements. “And the possibility to include everyone within the solution, including all of our travelling colleagues and all of our small offices using the Cato mobile client, has been extremely important to us,” says Norling. ADB SAFEGATE Tests and Deploys Cato After the summer of 2018, Norling signed a contract with Videns and Cato for the conditional rollout starting in November. The organization was consolidating ERP systems so ensuring SAP S4/HANA could be provided as a cloud service by connecting the SAP datacenter in Frankfurt as a site was very important. “During the conditional rollout, we, of course, also put a focus on stability, performance, and traceability. Since we are a small IT organization we also needed a solution that is easy to deploy so that we can do prepared plug-and-play installations on all small sites.” Our China colleagues have been amazed by the performance so far and, yeah, as I said, we haven't really done anything else for them yet other than connecting the Cato Socket to the public Internet line. As for connecting his China sites, he was very pleased with Cato’s approach. “We just connected Cato Socket to the existing public Internet line and it worked,” he says, “I was at one of our Chinese facilities and ran our client-based Swedish ERP system from China without any major latency. So that was a success itself.” The next step in China for Norling will remove expensive legacy lines and connect the Cato Socket to a new public fiber connection. “Our China colleagues have been amazed by the performance so far and, yeah, as I said, we haven't really done anything else for them yet other than connecting the Cato Socket to the public Internet line.” His goal was to deploy all 26 sites within two months. “A goal which we met,” says Norling. “A few small offices around the world only have a limited number of users and we will only utilize the mobile client for them.” Preparing the Network to Meet Today’s and Tomorrow’s Requirements Today, ADB SAFEGATE is in the final stages of its deployment. There’s still some work to be done in enabling mobile client for all users and adjusting some QoS rules. Those are minor issues, though, for him. The big issue? Norling has positioned his network to ADB SAFEGATE’s future networking requirements. “With Videns and Cato, we are building the foundation on which all of our global IT services from now on will be delivered upon,” he says.

Arlington Orthopedics Replaces Carrier-Managed SD-WAN Service Challenge: How to Run Lean and Still Deliver Agile, Effective Security and Networking It’s an all too familiar problem: IT is called to support more users and deliver more services without increasing budget. With MPLS and firewall appliances that might have seemed like mission impossible. The sheer complexity of the traditional network infrastructure almost requires IT to maintain networking and security specialists on staff, not to mention an extensive investment in infrastructure, limiting cost reductions and constraining efficiencies. But new technologies, such as SD-WAN as a service (SDWaaS) and firewall as a service (FWaaS), are enabling IT to operate far leaner than ever. Just ask Arlington Orthopedics where the network nearly doubled in size without having to expand its IT team. “It was obvious to me that I had to focus my resources,” says George McNeill, director of I.T. for Arlington. “I needed my infrastructure to be as lean as possible. This way we could invest in business analysts or other customer-facing roles and technologies not internal IT roles, such as networking and security specialists.” But the Arlington network was anything but lean. Arlington spent $10,000 per month for the 100 Mbits/s MPLS service and connections were still “choking out,” he says. MPLS’s infamous deployment times also meant he needed a 90-day window for deploying new offices — far too long for the firm. The existing firewall appliances were also sucking up resources he didn’t have. “Firewalls are complicated by default, but they’re even more complicated when set up by someone else who’s no longer with the company and with his or her own ideology and thought,” he says. Troubleshooting the performance problem that was “choking” his network wasn’t easy. The company’s office and regional networks were flat, layer-two subnets. Firewall appliances at each location were connected by meshed, point-to-point, virtual private networks (VPNs). Servers located in Arlington were accessed by the branch locations. George knew that some locations had performance problems, but diagnosing them was very difficult. “We could see the traffic, but figuring out the source of the problem was impossible,” he says. And with IT resources spent keeping “the lights on,” other projects had to be pushed to the side. Disaster recovery (DR) was one such example. “I could have set up a DR site using a site-to-site VPN,” he says, “But then I would have to put a whole lot of work into the effort and still have a single point of failure.” Cato’s “Easy Experience” Simplifies SD-WAN Adoption George had heard about the cost savings of SD-WAN from a local provider. During his research, he stumbled on to Cato and how Cato Cloud, Cato’s SD-WAN as a service, combines SD-WAN with FWaaS. He decided to trial Cato Cloud. “I expected the company to take a month to get me equipment when two days later, I received two Cato Sockets (Cato’s zero-touch, SD-WAN appliances), preconfigured for installation.” Within 10 minutes the Cato Sockets were installed and the Cato solution was working. “We had the whole shebang for a month. A fully functional, free trial for a month, to verify that it works. Apparently, that’s not very common with SD-WAN,” he says. For his due diligence, George went back to the initial provider. Instead of Cato’s converged secure SD-WAN as a service, the provider offered a managed service integrating third-party, SD-WAN appliances and firewall appliances. The result was a complex, heavy, and cumbersome environment. It was the classic difference between traditional, appliance-centric, managed services and the elastic, software-driven cloud all of which led to serious adoption and configuration problems for George. “The provider wanted me to buy without a trial. What person in his right mind would use a service without a trial?” he says. “I was on a call with 10 of their people, and they said, ‘Okay we’re going to replace your firewall.’ I said ‘WHAT? No, you’re not!’ Replacing the firewall or placing the SD-WAN appliance in front of the firewall would have meant reconfiguring his entire site-to-site VPN just for a trial.” “When I told them that they needed to place the appliance alongside the firewall. Their response was ‘that’s complicated.’ One dude from Cato figured out the problem in five minutes you mean your entire team couldn’t get it to work?” he says. “After a month, the reseller still hadn’t given us the trial.” Arlington Deploys Cato in Minutes In the end, George went back to Cato. “Yes, Cato met my technical requirements, but the reason why I returned and am staying with Cato is that it made buying SD-WAN so simple.” Rather than ripping-and-replacing the firewall, Cato allowed George to extend the life of his firewall and transition off as needed. External traffic could be sent to a Cato Socket sitting alongside the existing firewall. The traffic is secured by the Cato Security Service built into Cato Cloud Network. Cato Security Services include next-generation firewall (NGFW), secure web gateway (SWG), and IPS. As firewalls would reach their end-of-life or the limits of their capacity, traffic can be moved over to Cato. They can also be configured to “burst” to Cato Cloud. Any implementation has its share of challenges and McNeil’s Cato deployment was no different. “We had a problem accessing Cato’s Dallas PoP [point of presence] at one point,” he says, “Yes, things were a bit slower, but our users didn’t notice it so much. The Sockets automatically migrated everyone to Cato’s Chicago PoP. But here’s the thing — we didn’t have to do anything. Our firewall rules remained the same, there was no reconfiguration, and Sockets automatically re-connected to the Dallas PoP when Cato resolved the problem.” Better Management, Better Control with Cato With Cato, George has improved agility, increased visibility, and control, and expanded his level of service to the business all without scaling up his IT team. Deploying new sites takes far less time. “With Cato, I am setting up an office before they have electricity to every socket,” he says. McNeil can also diagnose problems more efficiently. By sending all traffic to the Cato PoP, McNeil gains a single-pane-of-glass into his network. He’s been able to use that tool to improve governance and IT’s interaction with the business. “We found that Netflix was being streamed across the network during company hours. With our firewall, we would have only been able to block Netflix, and that was my knee-jerk reaction, but then whoever was watching Netflix would switch to another network. “With Cato, I was able to identify the user watching Netflix and on which device — his cell phone. This way I was able to send him an email to hold off on movie time during company time. And if he keeps doing it without permission? I’m going to turn off Netflix for just that phone during work hours,” he says. And he’s been able to address his disaster recovery issues. “Cato has made a separate disaster recovery site possible for us,” he says. Instead of configuring individual site-to-site VPNs for each location to a DR facility, now the DR facility sits like any other office on the same Cato Cloud-based WAN. “The Cato Sockets allow me a huge level of high availability,” he says. Looking Ahead with Cato Means Keeping Lean and Effective George has largely eliminated MPLS and the firewall appliances, transitioning most offices to Cato Cloud. He plans to migrate his last office to Cato once he’s finished his MPLS contract. [caption id="attachment_7249" align="alignnone" width="1000"] With Cato, Arlington gained deep visibility into their traffic.[/caption] Eliminating MPLS will free up budget for other IT projects, such as increasing front-line support, but one thing George won’t need to hire is deep engineering expertise. “If we didn’t have Cato, I would have to expand headcount with a networking expert. Now I can put my resources elsewhere,” he says. The bottom line? “Cato enables me to be more diligent. Questions I could not have answered because of a lack of time like ‘What are people doing on my network?’ I’m now able to answer.”

Managed IT Provider Eliminates Appliance Sprawl, Improves Security Capabilities The Journey to Cloud-based Security Services Why were you looking to change your security architecture? We initially went out to market because of SSL inspection. Our firewall appliances did not have the necessary capacity. The capability was available with additional licensing, but not the capacity. What approaches did WWIT consider? We evaluated and did a lot research on many vendors and then tested a smaller pool of them. The second choice was a leading Secure Web Gateway (SWG) provider. The company really provided a web filtering solution with Data Loss Prevention (DLP) and other features built-in. The offering didn’t have full firewall capabilities so we couldn’t replace the customer’s firewall appliance, which would have led to higher costs and more management overhead. Why did you choose Cato? The flexibility we got with Cato Cloud, and particularly with the SSL inspection, meant we didn’t need to upgrade any hardware on-premise to inspect all necessary traffic to keep customers safe. Looking at Cato’s overall platform, I think there’s a more complete vision than other vendors who are primarily web gateways. The tipping point was Cato’s easy deployment and the ability to roll out rapidly to customers. The Benefits of Cato’s Firewall as a Service A converged security service aligned well with WWIT’s need? That’s right. A lot of the competitors we reviewed were simply web filters with a lot of services built on top of that. None of them were true cloud FWaaS with additional security services. I think even though Cato is a startup and a much newer company than some of the others we evaluated, the Cato leadership has a vision and approach to make the Cato Cloud a platform rather than just a single service offering. It’s a distinction I like. I also liked the team behind Cato. The executives’ track records in previous companies, and the work they did in building innovative solutions is a plus. Sounds pretty compelling. Is there any reason why someone may opt not to deploy the Cato platform and remain with an appliance? Playing the devil’s advocate here, you’re relying on Cato to handle all of your traffic and security services. You must ensure anyone doing that has a robust platform, the uptime to meet your needs, and those sorts of things. From a purchasing standpoint, it’s the sort of thing that would have to be vetted by any organization. I looked at the Cato Cloud architecture and was very impressed by the degree of redundancy built into the network. How does Cato help with the biggest security threats concerning your customers? Our customers are particularly concerned with web-based threats, more specifically a lot of the newer variants of ransomware and crypto-types of malware. Those are really rampant. They may come in as an email, but they’re just a link to a web-based threat. Cato gave us the ability to actively scan traffic and stop those attacks. This is particularly valuable for small offices that lack the resources to purchase a robust network security stack. With Cato, we could provide them affordable protection with the same kinds of policies and robustness that might have only been available in high-end appliances. How are customers using Cato today? Most of them are multi-offices and we use Cato to unify the policies and protection across them. For a lot of customers, it’s just to add extra layers of security. You can deploy Cato with Cato Sockets (Cato’s hardware endpoints) or you can send your traffic through the existing firewalls. In some cases, we’re leaving existing firewalls in place because they’re new. Cato adds an additional layer of filtering and the capacity to do SSL inspection, which is one of the more important things with Web-based traffic. It’s not just distributed offices that describe customers, it’s also the need for extra security and eventually to replace their firewall as it ages and is no longer needed. The Business Impact of the Cato Partnership With which kind business problem did you find Cato especially helpful? Acquisition, in particular, is a good example. We have customers who need offices brought online and connected in a very quick and efficient manner without a lot of upfront costs. Cato really fits that need to a “T”. One customer of ours has acquired many smaller shops in their industry. Rather than having to build the technology infrastructure stack at each new location, the customer utilizes Cato for connectivity and security in a very simple manner. [caption id="attachment_7256" align="alignnone" width="1309"] With Cato, partners can manage all of their customers from one view.[/caption] Can you describe your relationship with Cato so far from a partner perspective? To us, Cato seemed to be both very channel-focused and very flexible. I think that’s an important distinction. A lot of vendors are not easy to work with and not flexible at all in what they offer partners. Cato’s open to getting ideas from us, and are capable of incorporating them into their platform very quickly.  

Security Software Company Maximizes Global R&D Productivity With Cato Cloud Mission Impossible: Open an Office in Days Without Compromising Network Performance The company was looking to expand its workforce by hiring developers in Europe. The challenge? They needed a new facility – and gave the IT team five weeks to open the location. At first, the technical approach appeared straightforward — connect the location into the company’s Internet VPN. Firewall appliances at other company locations already established IPsec tunnels into the headquarters. Contractors and remote users accessed Jira, as well as the company’s Docker containers, by running mobile VPN clients on their devices and connecting to an assigned firewall. From there, they traversed the VPN to headquarters and onto their destination.  The approach seemed obvious. But there was no onsite IT personnel in the European branch office, and an IT person is exactly what would have been needed to configure and deploy the local firewall. The developers were going to work in a shared office space, like WeWork or NextSpace. While the shared office provided Internet access, NATing was being used. Without a dedicated, public IP, a local firewall would need its configuration “tweaked” just to establish a VPN to other firewalls. And for every location added to the VPN, the IT manager found deployment to take exponentially longer. He and his team needed to configure tunnels from the new location to every other company location. It was an arduous process requiring them to establish the tunnels to each site, design specific firewall rules for each tunnel, and factor in user issues, such as whether or not to allow remote access. “It was about 1.5 hours of work per tunnel per site. We could spend a few days just configuring the VPN for a new location,” he says. The performance was a major challenge. “The most painful thing was the connectivity between branch sites,” he adds. Backhauling traffic through a datacenter in a different region meant users were unable to access remote application and services. The additional hop created “slowness” in the user experience and led to timeouts. The IT team was also unsure of the availability of his Internet path. “The European branch office required 100 percent uptime,” he says, “With the Internet, you can’t promise that. Your traffic still goes through several unknown ISPs. You can’t ensure that every hop is not a single point of failure.” Another approach was needed. MPLS sounded like the logical choice. It would address his performance concerns. But getting an MPLS line installed in time was going to be a problem. “Just taking delivery of a 20 Mbits/s MPLS circuit would require about a month-and-half in total and three weeks after signing the purchase order,” he comments. Far too long for his five-week window. Cato Cloud: Fast Deployment and Faster Applications The IT manager looked around for alternative solutions when a friend suggested he investigate Cato Cloud, Cato’s cloud-based and secure global SD-WAN. Cato Cloud would use his existing Internet line to connect locations, mobile users and, when he’s ready, cloud resources into an affordable, SLA-backed alternative to MPLS. Once in the Cato Cloud, all traffic is protected by a converged suite of advanced security services that includes next-generation firewall (NGFW), secure web gateway (SWG), URL filtering, and advanced threat protection. For a company where the Internet and mobile connectivity already played such a key role in its networking strategy, Cato Cloud sounded very attractive. By relying on Internet last mile, deployments would be much faster than MPLS. And since Cato uses zero-touch provisioning, the company could avoid the time spent individually crafting each VPN configuration. IT initially installed a Cato Socket, Cato’s SD-WAN appliance at the remote European office, and at the headquarters behind the existing firewall. With users connecting directly to Cato, he did not need to add a firewall at his new location. During the next phase, he rolled out Cato to all offices. Mobile users were equipped with the Cato Client to connect directly to Cato Cloud. Performance Improves, Costs Fall with Cato Cloud With Cato, IT did far more than just deploy a new location. It improved the users’ application experience, made the team more efficient, and reduced costs. “Cato certainly met my expectations,” he says. Cato Cloud incorporates a range of network optimization that significantly reduces data transfer times. “Cato’s optimizations make all the difference. As one Atlanta user remarked to me ‘This is unbelievable. I work with our main server in the datacenter and I feel like it is right here in the office.’” IT agility has also improved significantly in many ways. Deploying new offices is no longer a matter of days or even hours. “Onboarding is very fast,” he says, “From the time you put in the Socket, minutes are needed to deploy a location.” New account configuration is particularly easy. “The LDAP integration really helps. We just imported hundreds of users right into Cato. No need to type in configuration profiles,” he adds. Ongoing management has also become simpler and more efficient with Cato. He monitors his branch sites from one screen using the Cato Management Application. “Managing the solution is very intuitive,” he says, “I gave the Cato Management Application to one of the IT engineers and she quickly adapted to the platform." As such, operations have streamlined. “We saved ourselves 15 engineering hours a month just getting things done like changing firewall rules, enabling users, and other similar tasks spent managing our branch infrastructure,” he says, “With Cato, we can now allocate that time elsewhere.” Cost avoidance was also realized in several areas. Cato saved the company from having to purchase an MPLS connection at $4,800 per month. The company also avoided paying for firewall licenses. “We planned on spending $600 per branch firewall and another $400 per year for our licenses," he says, “but many firewalls had to be upgraded because they couldn’t handle activating the IPS, the number of active security rules, or the amount of bandwidth. We would end up spending $1,600 per branch firewall and $950/year for the license and that doesn’t include the time or cost of upgrading to the new appliance.” Any deployment requires close cooperation with the service provider and on that, Cato gets high marks. “Cato support is unlike any other support that I’ve experienced. Our interaction is almost like working with an extension of our team,” he says. Security Robust Enough for the Experts Moving forward, he is looking at replacing the remaining firewall appliances with Cato Cloud. He also wants to enable Cato IPS and Cato’s advanced threat protection knowing that unlike an appliance, performance will not degrade with the new capabilities. [caption id="attachment_7231" align="alignnone" width="484"] With Cato, application experience improved and network management became very intuitive.[/caption] Overall, he doesn’t have regrets with the transition, but he does have an answer for those questioning his decision to go with Cato. “As you can imagine there were more than a few skeptics in the room when I pitched Cato. MPLS was the safe bet,” he says. “But when I went back to one of the VPs and said ‘Did you ever imagine that with the money we were going to spend on connectivity alone for the European branch, I could now connect our US support team and customer focus groups, and still provide remote access to all employees? He didn’t believe me until I showed him the bills.”  

Blender Breaks Free from the Box Challenges When Blender originally started out of their headquarters in Israel they had installed a firewall appliance from one of the top tier vendors. Chief Technical Officer (CTO) Boaz Aviv found it complex to manage, upgrade and patch. “Owning these boxes is expensive and they need constant management. Even if the time required to manage your firewall is just 10 hours a month, that’s still 10 hours you’ve lost,” explains Aviv. Blender depended on an IT integrator for installation and support of the firewall appliance. When they experienced a system failure over the weekend, their IT integrator was not available to support them. This resulted in long downtime and impacted their business. “We are a global operation and we keep it very lean and mean,” says Aviv. “In order to do this you need to minimize hassles that don’t directly relate to your business. So it’s very important to optimize resources, time and people needed to manage your network and security. That’s why I’ve always preferred the simplicity offered by cloud solutions like Cato.” When the time came to expand to their new offices in Italy and Lithuania, the team at Blender stopped to reevaluate how their office network security footprint would impact cost and capacity going forward. Without dedicating personnel to support remote appliances with upgrades and patches, Blender would be dependent on costly third-party assistance with unreliable coverage. Also, as a financial technology organization, Blender continuously seeks to upgrade into better security services, “Although we are a young company, we never compromise on security,” says Aviv. As a cloud-centric business that is subject to regulations and stores most of its data in SaaS applications and a IaaS datacenter, Blender specifically needs to secure data access. Solution When Aviv initially learned about Cato Networks and its cloud-based secure network, he saw it as a perfect fit for Blender. “The only metal I had in my office was our telephony machine and the firewall — and I wanted to get rid of both of them” explains Aviv. ”I felt that as much as we grow, the more these boxes would grow right along with us, as would the burden of managing and supporting them.” To deploy Cato, Blender simply replaced the incumbent firewall in the main office with a Cato Socket — a small, zero-touch, tunneling device to forward traffic from the office to the Cato Cloud. Connecting their branch offices was simple and required zero technical expertise. All locations were now using secure internet access via Cato. A full security stack, including Next-Gen Firewall, application control, and URL filtering inspects Blender’s traffic, which is fully encrypted between branches and the Cato Cloud. Managing network security centrally in the cloud enables a unified policy for all users, locations and applications. Prior to Cato, Aviv had planned to purchase more appliances to support the company’s disaster recovery (DR) sites. Installing Cato now allows him to avoid the significant expenses and IT resources it would take to manage additional appliances. Instead, his team is securely connecting the DR sites to the Cato Cloud and from there to the rest of the business. Blender employees access Office 365, Salesforce and Amazon AWS apps on-the-go using the Cato Client app on their mobile devices. The Cato Client establishes a secure tunnel to the Cato Cloud and all cloud traffic is protected by Cato. To prevent unauthorized access and protect against credential theft, Blender is using a unique Cato feature that allows them to configure their SaaS applications to accept traffic only from the Cato Cloud specific IP range. Since the Cato Client can only be used after a full device registration, hackers can’t target the cloud apps using unregistered devices. The Way Forward A year into production, Blender is meeting industry security audits while scaling capacity in step with its growing business and easily enabling users to access network resources using the cloud-based management application. Aviv has been impressed with the level of support he’s received throughout.  

Manufacturer Replaces MPLS with Cato Cloud, Improves Performance and Security Delays and High Cost Leave IT Frustrated By the Carrier Experience As companies embrace the cloud, the classical hub-and-spoke configurations of MPLS often prove to be too rigid and ineffective. The automotive component manufacturer,  a metal forming specialist, was no exception. The number of computers at the metal specialist had nearly tripled in the three years leading up to its WAN transformation. The company was also moving to a cloud-based Plex ERP system, all of which made delivering predictable Internet access more challenging and more critical. Uptime proved to be far from perfect. Brownouts — fluctuations in latency and loss caused by congestion on the MPLS network —were all too common. “The corporate office had a 20 Mbits/s MPLS connection, and then we shared 30 Mbits/s between all sites. If someone at corporate was downloading a file at 20 Mbits/s that only left 10 Mbits/s for everyone else and the network started to choke,” he says, “Quality of service (QoS) was too rigid to be of help and not really working.” And though every location had redundant connections, continuous uptime proved challenging. MPLS routing proved to be a poor approach towards redundancy. “Automatic failover worked most of the time, but there were always problems,” says the IT manager. “It relied on pinging two or three guests, such as Google, the local interface, or one of the routes. If none failed, though, failover wouldn’t work even if our sites couldn’t access our datacenter.” The carrier proved unable to help. “The carrier’s technicians were not experts in the products. Most of the time, our staff was more knowledgeable than the representative assigned to the ticket,” he says. The carrier’s rigidity also complicated opening new locations. The carrier could only work with certain infrastructure providers. “The representative told me ‘I can’t get you fiber at that location’ and I was like ‘I already have fiber, what do you mean you can’t give it to me!’” The network problems led to other headaches. The company runs a “deny all” policy at its firewall with exceptions made by user groups for fixed users. “The carrier’s firewall had a hard time identifying users correctly when the laptop went from wired to the backup wireless connection,” he says, “Their solution was for us to spend $5,000 more for a client-based authentication product.” Overall, incorrectly identifying users was “the biggest failure” of the carrier approach, he says. The Team Evaluates SD-WAN Solutions The company knew leaving MPLS was critical and the team began assessing SD-WAN solutions. “We looked at a bunch of SD-WAN suppliers, but they kept passing us off onto their resellers,” says the IT manager, “We already had the experience of one reseller not understanding the technology. Trying the same approach again was the last thing we wanted to do.” He also didn’t want to go with a carrier-managed SD-WAN service. “One SD-WAN supplier sent us back to our carrier to purchase a carrier-managed SD-WAN service. It was insane,” he says, “I hate that carrier right now and am trying to fire them, and I should go back to them?” He had heard about Cato and was intrigued by Cato’s ‘easy’ experience. “I liked your vision and support model,” he says. Unlike carrier-managed SD-WAN, Cato Cloud is a cloud-based SD-WAN service fully developed by Cato. There are no third-party appliances to increase costs or complicate support; the technical expertise resides in Cato. The Cato Cloud converges security and networking, providing an affordable MPLS alternative, firewall as a service, remote access, and CASB functionality. And by being based on software-defined perimeter (SDP) principles, Cato Cloud allows fine-grained network access, protects corporate assets from network-based attacks. “Cato seemed to have everything together,” he says. Manufacturer Adopts Cato Cloud, Eliminates Performance Problems Ultimately, the company ran a Proof of Concept (POC) between locations and settled on the Cato platform. He added Cato’s easy-to-deploy, SD-WAN appliances, Cato Sockets to each site. Rather than backhauling Internet traffic, the IT manager provided sites with direct Internet access protected by Cato Security Services, which include NGFW, IPS, and anti-malware inspection. The Cato Sockets establish secure tunnels to the closest Cato PoP, which inspects and forwards traffic either to company locations across the Cato Cloud or out to the public Internet. Cato’s affordable price allowed the company to increase bandwidth at locations. The IT manager provided sites with 6 to 20 times more bandwidth for the same cost as the MPLS. “Before we had 30 Mbits/s out to the Internet (with a hub firewall). Now with Cato our Internet bandwidth per site went to 740 Mbits/s.” As a result, performance improved significantly. “With Cato, our response time to our ERP system flattened out. Normally, we needed 20 to 30 milliseconds to reach the ERP system due to congestion across MPLS, and then as much as 500 millisecond for a response. After switching to Cato, response time averaged 30 milliseconds or less.” [caption id="attachment_7182" align="alignnone" width="1197"] The manufacturer saw latency decline and become more consistent with Cato Cloud.[/caption] Availability has also improved. Unlike MPLS, Cato measures the full path to the cloud for accurate, predictable failover. “Cato has true failover in the product," he says. “Now if one ISP goes down we automatically switch over to the other one.” Cato Cloud Improves Supply Chain, Third-Party Access The combination of Cato’s flexibility and converged security services gave the company some unexpected benefits, such as allowing third-party access to his network. With Cato Cloud, the company’s partners and suppliers connect to the same SD-WAN through an IPsec tunnel. Access is restricted to only the necessary resources as Cato Cloud adheres to SDP (Software Defined Perimeter) principals which call for authenticating users before showing them available network resources. With just a few minutes at the management console, the IT team can configure network-wide policies for fine-grained access. It’s “really awesome,” he says. “Now, I can let our telephony vendor VPN into our network without compromising our security. They can only connect to the voice network  and nothing more," he says. Cato Security Service also eliminated the problem of identifying users when switching from wired to wireless. “VPN connections can easily be restricted to only sites or hosts that they need to connect to which has increased our security capabilities,” he says. Cato ‘Easy’ Experience Makes the Difference Most of all, the IT manager liked how Cato handled support. “With Cato, it was the support people that really made us go, ‘You know they’ll fix it.’ The people are smart and intelligent and know what’s going on instead of just taking a ticket.” It’s the combination of networking and security convergence with personal support that makes for Cato’s “easy” experience. And it’s that combination that made the difference for the company. “You can have the best product in the world, but if you can’t get customer service then you’ve got nothing,” he says. ”Our problem was the carrier resold firewalls with issues and only one or two people in the entire company seemed to have answers.”

Universal Mental Health Services Eliminates Branch Firewalls Challenges UMHS network was originally designed to have all 12 branches connected via MPLS and backhauling to a primary datacenter with one central firewall. However, after the process began, UMHS realized that MPLS was too expensive to deploy in all locations. Additionally, some locations were outside of the MPLS provider’s service area. This then forced the organization to connect 5 branches via SonicWALL Firewalls with site-to-site VPN’s. This resulted in a mesh of two network architectures that were more complex to run and manage. Running this environment proved to be challenging, especially due to the burdens of updating the hardware and maintaining firewall software. It was labor intensive and updates didn’t always go smoothly. “Specifically I remember updating the firmware on some devices that caused us to lose connectivity. This created a disruption in our record keeping as our branches send key reports directly to our headquarters. Employees generally scan records using copiers, and those records are then stored directly into the appropriate folder at corporate. Additionally, because we deal with sensitive issues like abuse and drug use, employees need free access to internet resources. Policy management was difficult because SonicWALL does not offer agile options to balance the blocking of banned websites while still providing access to necessary information.” Solution UMHS came across Cato opportunistically. “I was at an industry event, and there was a quite a bit of excitement around Cato’s booth and its services. I decided to visit the booth to see what the buzz was all about.” After a thorough review of the services, UMHS selected Cato to replace all of its SonicWall Firewalls. The first step was to establish an IPSEC tunnel to Cato from the datacenter firewall. Then, each branch location had a Cato Socket replace the SonicWalls firewalls. Now connected to the Cato network, UMHS has eliminated connectivity issues, saved money and simplified its policy management. Cato protects all connected locations and seamlessly scales to secure all traffic, without the need for unplanned hardware upgrades and resource-intensive software patches. It also coexists with the MPLS-based network. As a healthcare organization, security and agility are two of the biggest drivers when it comes to providing good customer service. With Cato, UMHS is now armed with the ability to clearly see all network traffic and application usage, create policies and enforce them across all branches, and identify security gaps and policy violations. Cato has given the organization a completely new perspective on how easy network security can be. Future Plans UMHS is so satisfied with the decision to switch its firewalls to Cato that it plans to migrate all locations using MPLS as soon as their contracts expire. A cost analysis done by the organization shows that this change will save thousands of dollars by having all of its 13 locations connected to the Cato Cloud.

Sun Rich Converges Network and Security into Cato Cloud The Appliance Patchwork Like so many enterprises, Sun Rich’s infrastructure became ever more complex with the growth of the organization. An MPLS network connected all facilities; Internet access was centralized in one location. Mobile users relied on a third-party service. Numerous security tools, such as firewalls and anti-malware, were needed to protect users. Connecting to Azure brought its own headaches. In short, Sun Rich was drowning in cost and complexity. MPLS connections for the US sites were very expensive, limiting the amount of bandwidth to those locations. They also took far too long to deploy. “We looked at upgrading our WAN optimizer, but buying another expensive solution didn’t make sense,” says Adam Laing, systems administrator at Sun Rich. The network architecture was impacting the business. Backhauling the Internet traffic to the datacenter coupled with the limited capacity at each location meant users experienced general “sluggishness” when accessing applications. “Today, you can’t run a business on 3 Mbits/s connections to your branches,” says Laing. “We ended up paying a lot of money for nothing.” They also struggled with reading and writing files to the shared file server at the datacenter. The company’s ERP application requires the Remote Desktop Protocol (RDP). Users could also use RDP to access files from the share drives. The performance was slightly better than when the users accessed files directly from their desktops but if the files were complex, opening and saving work was challenging across the MPLS network. Employees resorted to copying large files to their desktops, circumventing sharing, security, and backups. Printing was also impacted when executing the job from within the RDP environment. Requests were routed to the datacenter and then back to the local office printer, delaying print jobs. Internet backhaul introduced other headaches. Connecting to Azure was difficult because “performance was not where it needs to be,” says Laing. “The limited performance would also have made migrating to Office 365 and SharePoint impossible”, he says. SD-WAN Alone Not the Answer Sun Rich needed an alternative approach. Laing began by investigating SD-WAN appliances, connecting offices with multiple, active broadband connections. The US facilities were provided with direct Internet connections, secured with local firewalls, alongside their existing MPLS connections. The SD-WAN appliances directed internal traffic to the MPLS network and Internet traffic to the direct Internet connections. Adding the appliance was effective for one site, but proved challenging for the other US location. The broadband connections did not have the same stability as the MPLS network. The lack of fiber meant Laing had to use DSL and eventually 100 Mbits/s cable to connect the location. Internet routes, even in developed Internet regions, can underperform or perform erratically. To minimize the Internet’s impact, Laing followed SD-WAN best practice and connected his offices to multiple Internet links. No number of local links, though, could compensate for poor routing. The ISP bounced traffic from Sun Rich’s Pennsylvania office across 30 hops before reaching the datacenter. Without control of the routing, the SD-WAN appliances were unable to improve the connection. “We opened a trouble ticket with the SD-WAN appliance vendor, but when the customer support agent saw our line speed met the committed rate, he said there was nothing he could do to help.” says Laing. In the end, Laing was unable to achieve his goal. “We could never remove MPLS because of Internet routing issues,” he says. “Despite upgrading from 3 Mbits/s to 100 Mbits/s the users barely noticed a difference when connecting to the datacenter.” Consolidate with Cato With Cato, Laing found a solution that addressed all of his requirements. The Cato Cloud is an SLA-backed backbone that can replace MPLS by compensating for the latency, packet loss, and erraticness experienced across the Internet. Advanced security and network optimization functions run within the Cato Cloud, allowing Laing to simplify the network as it relates to firewalls, WAN optimization, routers, and SD-WAN appliances. Sun Rich also gained far greater visibility and control with Cato. From a single management console, Sun Rich can see all of its cloud, site-to-site, and mobile traffic. No longer did Laing need to switch between different vendor products and services to understand network usage. Security policies can also be set for the entire network from Cato’s management console, making updating and enforcing security that much easier. When I saw Cato’s presentation I literally thought to myself ‘They’re talking directly to me.’ Cato basically addressed every single issue on our network.” Sun Rich’s Azure experience improved for several reasons. Cato’s PoPs share the same facilities as Azure, making application performance far faster than traversing the Internet. And by eliminating MPLS backhaul, Sun Rich reduced the latency for cloud applications. Migrating production workloads between the datacenter and Azure became much easier across the shared backbone. User experience also improved by no longer having to separately log into Sun Rich’s datacenter and its Azure instance. [caption id="attachment_7157" align="alignnone" width="880"] Sun Rich gained a comprehensive, detailed view of its network from the Cato management console.[/caption] Finally, Cato’s integrated approach is far more affordable. “Based on our size, our annual renewals on our appliances alone were nearly Cato’s price," says Laing.” Simplification also translates into better uptime. You can troubleshoot faster with one provider than five providers,” he says. Looking Ahead Laing hopes to further simplify his network by connecting his mobile users with Cato’s mobile client. Public cloud applications and any new private cloud resources can be securely connected in the future, as needed.    

Humphreys Replaces MPLS, SD-WAN Appliances, and Mobile VPN with Cato Cloud MPLS Problems Complicate Networking For years, MPLS services were the defacto standard for connecting company locations. And so, like many enterprises, Humphreys duly built its U.S. network on MPLS. The MPLS service gave Humphreys the predictable transport necessary for running business-class voice service, but it also brought plenty of headaches. “The problem with MPLS is that it’s expensive, slow, and takes forever to get anything done,” says Paul Burns, IT Director at Humphreys. Connecting new locations took far too long, with circuit delivery requiring several months. “Ninety days doesn’t fly anymore when a site is just two or three people in a garage and DSL can be delivered in a day or two,” Burns points out. What’s more, MPLS wasn’t agile enough to accommodate Humphreys’ growth. “Many of our offices start with a few people, but then they outgrow the space. Every time we moved, our carrier wanted a three-year contract and 90 days to get the circuit up and running.” Even simple network changes, like adding static routes to a router, necessitated submitting change tickets to the MPLS provider. To make matters worse, the carrier team responsible for those changes was based in Europe. “Not only did the carrier require 24 hours, but often the process involved waking me in the middle of the night,” Burns says. MPLS inflexibility hurt more than the business; it hurt Burns’ reputation. “I once sat in an executive meeting and learned that we were moving an office,” he recalls. “I explained to the other executives (again) that the move would take at least 90 days. They just looked at me like I was crazy.” When Humphreys opened an office in Uruguay, Burns wanted to connect it to his MPLS service. His provider offered only a 1.5 Mbits/s MPLS connection for $1,500 a month, about the same price as his 50 Mbits/s MPLS connection in Dallas. “It was a take-it-or-leave-it kind of deal — so we left it.” SD-WAN Edge Appliances Not Much Better Burns began investigating SD-WAN with Internet connectivity as a way of connecting his Uruguay office, maintaining MPLS for his voice service. He gradually deployed SD-WAN appliances in Uruguay and four other locations, swapping MPLS inflexibility for SD-WAN complexity. “The configuration pages of the SD-WAN appliance were insane. I’ve never seen anything so complicated. There were pages upon pages of settings with so many options,” says Burns. “Even the sales engineer got confused and accidentally enabled traffic shaping, limiting our 200 Mbits/s Internet line to 20 Mbits/s.” The appliance-based architecture also proved difficult to get fully working. The SD-WAN appliances had to establish tunnels with one another, but that didn’t always happen. “Sometimes Dallas could connect to two sites, but they couldn’t connect to each other. The vendor’s answer: update our firmware and reboot. But that didn’t work.” [caption id="attachment_7138" align="alignnone" width="1332"] Network Diagram Before Cato Deployment[/caption] Ultimately, Burns abandoned the SD-WAN appliance architecture. “It was just the maintenance of it. We would get an e-mail every time there was some SD-WAN-related error. You expect e-mails at 4 am with a telco when it’s doing network maintenance and things go down. I don’t expect thousands of early morning e-mails from an SD-WAN appliance.” Cato: Converging SD-WAN, Security, and Mobility Simplify Networking Burns decided to try Cato Cloud, Cato’s SD-WAN as a service. “We drop-shipped devices out to New Orleans, and I flew out to install the stuff. Took less than a day, and performance was great.” Eventually, he deployed Cato in every location but Garland and Orlando, which were still under MPLS contract. Cato was particularly helpful in connecting locations outside the U.S. “Cato gave us freedom. Now we can use a socket, a VPN tunnel, or the mobile client, depending on location and user requirements.” “My biggest concern with connecting Vietnam to our previous SD-WAN was shipping the appliance. There was the matter of clearing customs and installation. We’d be dealing with a communist country, and I wasn’t familiar with its culture. Instead, users can now just download and run Cato’s mobile client.” As for the Uruguay office, Burns could use a firewall-initiated IPsec tunnel. “We set up Uruguay in 10 minutes because we just built a VPN tunnel through the existing firewall,” he says. [caption id="attachment_7139" align="alignnone" width="645"] Network Diagram After Cato Deployment[/caption] Burns expects to migrate all local firewalls to Cato. “Our public-facing ‘stuff’ has been relocated to the datacenter. The only inbound traffic comes from people ‘RDPing’ into their computers through Dallas. Now, when we see that, we just fix them up with the Cato VPN.” Convergence Brings Business Value Cato’s converging of networking, security, and mobility onto a managed backbone simplified Humphreys’ network and helped the business. Bandwidth costs will reduce as Burns phases out MPLS at the remaining locations. He can eliminate MPLS because of Cato Cloud quality and predictability. Cato Cloud’s latency and loss levels were more than sufficient for business-grade voice, he reports. Humphreys was also free to tap the best talent without connectivity concerns. “Our Newport Beach branch wanted to hire a guy in Scottsdale, but we had no office there,” says Burns. “With Cato, we just connected him with Cato’s mobile client. Without Cato, the guy basically wouldn’t work for us, or his functionality would be 25 percent of what it is now.” [caption id="attachment_7140" align="alignnone" width="1688"] Humphreys Moves Voice on to Cato Cloud[/caption] Burns loved Cato’s security features as well. “We hadn’t even subscribed to Cato’s security services, but we were alerted to potential malware on our users’ machines,” he notes. “That’s something that none of our other network providers can offer.” [caption id="attachment_7142" align="alignnone" width="590"] Cato Cloud is predictable enough to accommodate Humphreys voice (RTP) traffic[/caption] Burns’ bottom line on Cato? “We set out to address our MPLS problem, and along the way we got an affordable MPLS alternative, security solution and mobile VPN solution.”    

FDMG Cuts Costs, Revolutionizes Mobile Experience by Replacing MPLS and Mobile VPN Separating WAN from Remote Access No Longer Makes Sense for FDMG For years, enterprises connected locations via wide area networks (WANs), and remote users via concentrators and other remote access technologies. Keeping networking and remote access separate might have made sense when offices were the rule, and mobility was the exception, but in today’s mobile world, such distinctions only complicate mundane IT tasks. Just ask Jerry Cyrus. As the technical team leader and information security officer at FDMG, Cyrus knew all too well the complexities and costs of separate remote access and networking solutions. FDMG had many journalists working in the field as well as physical locations. Separate security policies were required for fixed and mobile users; user provisioning was also cumbersome. And then there were the cost and scaling limitations of MPLS and, for that matter, remote access concentrators. MPLS bandwidth is notoriously expensive, particularly for multimedia companies such as FDMG, where stories involve video and other large data formats. As for remote access, Cyrus was generally pleased with the concentrator’s functioning but tired of the concurrent-user problem. “We would have 50 concurrent users, and once you wanted to add that 51st, you were stuck,” he says. Cyrus could have upgraded the concentrator, but that would have impacted the business. “We’d have had to take down the concentrator for about two hours, which wouldn’t have sat well with journalists filing breaking stories from the field,” he says. “Two hours is a lifetime for them. In the past, many drove to one of our offices just to work — not a very good way to experience IT.” Instead, Cyrus realized that solving both WAN and remote access problems would reduce costs and a whole lot more. “By consolidating security management, we could give users a better mobile experience and simplify firewall and security system operations.” FDMG Evaluates Cato Cloud Cyrus considered replacing MPLS with an Internet-based, site-to-site VPN. That would have lowered his bandwidth costs, but it would also have been a “big head-breaker,” he says. “In some cases, we’d have to upgrade concentrator hardware; in others, we’d have to set up new firewalls, configure the necessary tunnels, and deal with a lot more headaches.” Cyrus had heard how Cato Cloud converges security services, SD-WAN, and mobile access onto an affordable MPLS alternative. With Cato Cloud, he could connect and secure his entire enterprise — offices, mobile users, and cloud resources — with one seamless network. “After doing some research, I knew Cato Cloud would fit right in,” he says. But Cyrus had to deal with internal concerns about working with a new company. “At first, people were a bit scared of moving forward with Cato Cloud,” he says. “They were familiar with vendors, such as Palo Alto and Cisco. Cato was new to them. After several conversations with Cato and showing the product, people became much more comfortable.” Cato’s ability to be rolled out incrementally also helped Cyrus address those concerns. He started small, proving viability by adding a Cato Socket, Cato’s zero-touch SD-WAN appliance, in the Amsterdam hub and connecting a few users with Cato’s mobile VPN client. Both Socket and the mobile client automatically connect to the closest Cato point of presence (PoP), where the Cato software secures, optimizes, and dynamically directs traffic to the Internet or the optimum path across the Cato Cloud network. Having validated datacenter access, Cyrus connected an internal AWS site to check Cato Cloud’s connectivity. Once successful, he began converting production sites to Cato. Branch offices with more than ten users received a Cato Socket; freelancers and other external users were equipped with Cato’s mobile client. FDMG Converges Security, Mobile Access, and MPLS with Cato Cloud With Cato, site installation has been fast and easy. “Cato gives me ‘no-hassle setup.’ I connect the Socket, and we’re online and secured,” he says. “I don’t have to configure firewalls, establish dozens of security rules, or anything.” Moving sites has also become trivial. “I’m going to be moving one office to another floor, and the only thing I need to ask is if there’s an Internet connection. If so, we’ll be up and running instantly.” The newfound agility has not gone unnoticed. “Somebody asked me how long it would take to move the team to a new office. When I told him about ten minutes, he was shocked.” As for performance, Cyrus says users haven’t missed a beat. “Cato Cloud’s latency, packet loss, and uptime have been basically the same as MPLS — but, of course, much less expensive and more flexible,” he says. “If I want to scale up, it’s easy with Cato. With MPLS, I would need to make all sorts of arrangements.” That’s not to say there have been no hiccups. “Any new technique encounters some configuration issues, and Cato was no different. Early on in the deployment, Cato upgraded one of our Sockets without our knowing. They resolved the problem quickly, and since then I haven’t had an issue.” In fact, Cato support has been one of the biggest eye-openers for Cyrus. “Cato is not your typical provider,” he says. “The product is flexible, and support is good. If we have modifications and questions, Cato support is always eager to listen and either adjust or recommend a solution to the problem.” Cato Improves Mobile User Experience and More Cost savings might have initially driven FDMG’s WAN transformation, but it’s the operational benefits of increased usability and agility that became particularly compelling. “In the early days, users had to open a browser and navigate to our portal, log in, and only then launch an application to get a VPN connection up and running as if they were in the office,” Cyrus says. “There were so many steps, which not only frustrated users but meant more helpdesk calls for support.” With Cato, Cyrus sets the policies determining the applications and resources available to users and user groups. Mobile users join the Cato network directly, not a separate remote access solution, making network access much cleaner. “Now users just push the slider on their mobile device, and they’re authenticated right into the network. Visibility and ease of security operations have also improved. “Not only do we have greater insight into who’s logging into which application across our network, but our security toolset has become much easier to use,” says Cyrus. “We decide which users can connect to which resource without having to configure different firewall rules.” FDMG’s Bottom Line: It’s More than Just the Bottom Line FDMG’s initial goal was to reduce WAN costs, and Cato certainly did that. “We’re spending about 10 percent less with Cato than with MPLS,” says Cyrus. “Our savings are even greater if we factor in the licensing, installation, and management costs associated with the VPN concentrator.” But more than just costs, Cyrus has gained value. “With Cato Cloud, I increased bandwidth, replaced two things with one solution, improved user experience, maintained performance and uptime, and made IT more agile. That’s what I call a huge win.”  

Fisher & Company Slashes MPLS Costs, Improves WAN Performance with Cato’s Cloud-Based SD-WAN The Challenges with Legacy MPLS Like many companies, Fisher & Company relied on MPLS for its global network. And like many companies, Fisher was tired of the high costs, limited bandwidth, and complexities of MPLS services. The company spent $27,000 a month for a managed, secure MPLS service. The company’s 10 Mbits/s connection from the US to Mexico alone cost $7,000 per month. And three Riverbed WAN optimizers meant a one-time outlay of nearly $60,000 with an annual renewal of $7,000. With stacks of appliances, including firewalls, WAN optimizers, and routers, comes complexity and a breeding ground for problems. “Our MPLS provider proposed this very intricate architecture that looked like it was from a CCNA test,” says Kevin McDaid, systems manager at Fisher & Company. “The sites ended up with dual routers running HSRP (the Hot Standby Router Protocol) to load balance traffic between them. But when the protocol failed, so did the location.” Survivability was a challenge in other ways as well. Backhauling traffic across the MPLS network created a single point of failure. “When the provider’s MPLS router failed, we lost our headquarters and the entire company stopped working,” he says. “I was woken up in the middle of the night on several instances because a fiber cut or power outage had taken down a site, or to get the provider to fix a minor firewall problem.” Finally, managing the MPLS and security infrastructure was painful. McDaid and his team had to jump between “tons” of management interfaces, he says. They could monitor firewalls and the network, but the provider had to make any changes. “Something as simple as enabling access to a website through our firewall meant having to call support. It was very frustrating.” Cato Cloud: As Good as MPLS at a Fifth of the Price Fisher began looking at SD-WAN as an alternative. “We trialed a managed SD-WAN service, but the provider was difficult to work with,” says McDaid. “The management console was very complicated and you needed training just to run the reporting. They wanted us to submit requests for configuration changes; it was like our MPLS provider all over again.” Instead, Fisher turned to Cato. Cato’s SD-WAN service integrates advanced security with an affordable global, SLA-backed backbone — the Cato Cloud. With Cato, McDaid could retain control over his network and security infrastructure yet gain the agility and scaling benefits of a cloud service. Cato Improves User Experience and Simplifies Network Management Despite paying so much less for Cato, Fisher maintained and even improved its application delivery. Call quality has not changed since moving voice from MPLS to the Cato Cloud. Applications have become more responsive. “Users definitely feel it in their user experience. Things, like screen refreshes of our ERP system, seem to be a lot quicker with Cato,” he says. [caption id="attachment_7116" align="alignnone" width="479"] Management became easier with Cato one portal into the WAN.[/caption] The improvement was enabled by the additional bandwidth and the Cato Cloud’s network characteristics. “The loss and latency of the Cato Cloud are comparable to our MPLS service,” he says. Management has also become much easier. The Cato Management Application gives McDaid full control over his network and security infrastructure. And instead of jumping between many consoles, McDaid can manage everything from one interface. [caption id="attachment_7115" align="alignnone" width="596"] With Cato, Fisher radically simplified it’s network, connecting its mobile users, eight locations, and Azure instance to the Cato Cloud.[/caption] Resiliency improved with Cato. Internet- and cloud-bound traffic are no longer backhauled to Fisher’s headquarters in Michigan, which created the single point of failure in Fisher’s old network design. Dual active lines connect every location to Cato’s fault-tolerant architecture. Internet- and cloud-bound traffic are sent directly onto the Internet; enterprise WAN traffic is sent across Cato’s optimized backbone to the appropriate location.

W&W-AFCO Steel Improves Citrix and Simplifies Security with Cato Cloud Performance and Complexity Problems Complicate Internet-based VPNs Internet-based VPNs might be an inexpensive alternative to MPLS, but that doesn’t make them a good MPLS replacement. Unpredictable performance and complexity are some of their challenges, just ask W&W-AFCO Steel. The structural steel fabricator had connected its US locations, India office, and ad hoc project teams with an Internet VPN. But as W&W-AFCO Steel grew, the Internet-based VPN become increasingly ineffective. “In some cases, our mobile users found that network services, such as a simple network scan to file, didn’t work, and in other cases, like with network printing and virtualization, services simply weren’t available,” says Todd Park, Vice President of Information Technology at W&W-AFCO Steel. The problem? Internet latency was often too high for the virtual desktop infrastructure (VDI), such as Citrix XenDesktop. “By the time our users hit an internal network service, they were experiencing on average, 150 milliseconds of delay,” he says. According to Park, VDI starts to have user experience issues at that point. And users weren’t the only ones suffering. “Our help desk was constantly fielding calls from dissatisfied end users,” he says. Operations were also complicated by locations with different firewall configurations. Park and his team tried the firewall provider’s management software, “but it never seemed to work for us,” he says. The firewalls also lacked certain key edge features. Without prioritization, web browsing could interfere with the performance of business applications, for example. Internet failover was supported but very complicated to configure, he says. W&W-AFCO Steel Replaces VPNs and Firewalls with Cato Cloud Park tried MPLS, but costs were too high and a poor fit for connecting small, dynamic project teams. Instead, he turned to SD-WAN. He started with investigating SD-WAN appliances but found the costs to also be too high. “The maintenance on the SD-WAN appliances alone was about the cost of Cato Cloud — and that doesn’t include the capital expense of purchasing the SD-WAN appliance.” The other problem? None of the SD-WAN appliance-based solutions included integrated security services or mobile access. W&W-AFCO Steel would have to continue using separate tools for connecting and securing users and locations. With more tools, comes greater complexity and less visibility. That’s when Park turned to Cato. Cato Cloud connects and secures offices, mobile users, and cloud resources into one seamless global network. Cato replaces the need for MPLS, mobile VPN, and the stacks of security appliances and tools. [caption id="attachment_7100" align="alignnone" width="1108"] The Cato Management Application provides a bird’s-eye view of a company’s network[/caption] Cato provided W&W-AFCO Steel with a more agile infrastructure. “Cato firewall is much easier to manage than a traditional firewall and the mobile client was much easier to deploy and configure than our existing approach,” he says. Failover configuration was also “not as painful” as with his firewall. “We didn’t have to worry about configuring IP addresses, VPN connections or anything. It just worked,” he says. Network performance is also much improved. Latency averages “50 to 70 milliseconds,” he says, That’s as much as a 75 percent improvement. And with Cato, Park can block web browsing, downloads or any other application from interfering with site performance. As Cato Cloud provides detailed metrics about users and locations, Park can better hold his network vendors accountable. “It really helps you go past layer-1 support and get to layer-2 support,” he says. [caption id="attachment_7102" align="alignnone" width="1108"] With detailed analytics from the Cato Management Application, IT gains full visibility into network activities[/caption] “We had one location in California where our cable modem was more down than up. The provider wouldn’t take responsibility for the problem. But with Cato, I was able to show them the graphs of dropped packets. Hard to argue with that.” Support hasn’t been an issue with Cato. “They’re a pretty responsive bunch and are very upfront as to what they can and cannot do,” he says, “It’s a relief, actually. So often that’s not been the case when I’ve dealt with a vendor. I understand any deployment has technology issues, but I don’t want to be misled about capabilities.” Better Agility is the Bottom Line Looking ahead, Park expects to eliminate MPLS completely once the contract expires and move his remaining locations to Cato Cloud. Has there been a hard dollar cost saving? “I believe so,” he says, but that misses the point. “The real value came in the improvements our users and we, in IT, experienced with Cato,” he says.

Alewijnse Transforms Global, Real-Time WAN with Cato Secure SD-WAN MPLS: Expensive and Incompatible with Alewijnse’s Business For decades, Alewijnse relied on MPLS as a principal part of its wide area network (WAN). The company’s Amsterdam datacenter, nine sites in the Netherlands, and a branch office in Romania were connected by a fully meshed, MPLS network. Its predictability made MPLS essential for delivering the company’s high-definition video system, and remote desktops using Citrix and the Remote Desktop Protocol (RDP). Three other locations, the largest in Vietnam, established virtual private network (VPN) tunnels across direct Internet access (DIA) connections to the Amsterdam datacenter. Increasingly, though, MPLS was not addressing Alewijnse’s business requirements. Users complained about poor Internet and cloud performance – and for good reason. Applications were starved for bandwidth, as they were backhauled across 10 Mbits/s MPLS connections to the Internet breakout in Alewijnse’s datacenter. Internet traffic was driving up MPLS costs. Cloud applications and Internet usage accounted for about 50 percent of MPLS bandwidth to the datacenter, says Willem-Jan Herckenrath, manager of ICT at Alewijnse. IT agility was also constrained by MPLS. “Our business demands that we can set up project locations in a short period of time,” says Herckenrath, “With MPLS, I often had to wait three months to get a connection, if the technology was even available in that region.” At the same time he was rethinking his network, Herckenrath had to reevaluate the company’s security architecture. He needed a better way to secure his remote offices. Firewall appliances bring additional operational costs around deployment, management, and upgrades. He also needed a better approach to protect mobile users against ransomware and zero-day attacks. “Users were local administrators on their laptops and so they were not always fully protected when they entered the office,” he says, “We wanted to introduce a way so that they would always connect securely.” Converging Networking and Security Reduces Complexity and Costs Herckenrath wanted a simpler WAN design that made more effective use of the Internet without compromising on MPLS’ “quick performance” required by his loss-sensitive applications. The architecture would also have to address company’s security requirements and mobility concerns. Connecting locations through an Internet-based VPN was one approach, but that would still mean installing, configuring, and managing VPN routers at every location. SD-WAN showed promise, but traditional SD-WAN solutions do not connect mobile users or cloud resources. They also lack advanced security services and a global backbone. Herckenrath and his team looked at bundling SD-WAN solutions with a secure web gateway (SWG) service and another provider’s backbone. But they rejected the idea. “The feature comparison looked good on paper, but they were more difficult to implement and much more expensive than Cato Cloud,” says Herckenrath. Cato Cloud is a secure, global SD-WAN service, connecting locations, cloud resources, and mobile users. Advanced security services are built into Cato Cloud and include a next generation firewall (NGFW), SWG, IPS, and advanced threat protection. “With Cato, we got the functionality of SD-WAN, a global backbone, and security service for our sites and mobile users, integrated together and at a fraction of the cost,” he says. Cato Cloud: MPLS-like Performance without MPLS-like Price Alewijnse began a phased deployment of Cato Cloud. In the first phase, Herckenrath and his team connected the offices in the Netherlands, Romania, and Vietnam into Cato using high-quality, Internet last mile. In the next phase, Herckenrath connected the rest of his offices to the Internet and Cato Cloud. Cato’s ability to use any available last mile service in the WAN gave Herckenrath additional agility. Established locations can still be connected via MPLS, but now Herckenrath and his team were no longer dependent on MPLS services. As long as users can connect to the Internet, they can access Cato Cloud. And where physical Internet connectivity is not available, he can use 4G. It means his project teams at building locations, for example, can quickly get up and working. Yet despite moving off of MPLS, Herckenrath has not sacrificed performance. “Our users haven’t noticed a difference,” he says, “Latency and packet loss are low. Even the users outside of Europe have the same or better user experience with our HD video conferencing and our CAD system (which runs over Citrix).” [caption id="attachment_6743" align="alignnone" width="781"] With Cato Cloud, Alewijnse consolidated its datacenter, locations, cloud resources and soon, mobile users, onto a single, secured WAN.[/caption] Eliminating MPLS means he’s been able to reduce his bandwidth spend each month by “about 25 percent,” says Herckenrath, for as much as 10-times more bandwidth in some locations. Additional bandwidth has helped his Internet performance, but so has eliminating Internet backhaul. With Cato, Alewijnse Internet traffic goes directly to Cato Cloud, where it’s inspected and secured, and from there to the public Internet. “Users are much happier now with our Internet services,” he says. Any new deployment faces its challenges and when they happen, quickly getting hold of a quality support team is critical. “We had our challenges, but what I hear from my guys is that they WhatsApp with Cato’s support guys. They don’t always have to first go, log a complaint, and open a ticket. I really like that approach,” he says. Alewijnse Extends WAN Transformation to Mobile Users and Eliminates Security Appliances To achieve the full value of the converged solution, Alewijnse will gradually deploy Cato Clients to secure employees’ laptops and mobile devices. Also on the roadmap is to eliminate the firewall appliances in the branch offices. Together, Herckenrath has a long migration path for transforming his network, but with Cato Cloud he thinks he has the right platform. “We like Cato’s all-in-one approach and the competitive pricing gave us very good value for money.” [caption id="attachment_6744" align="alignnone" width="417"] With Cato, Alewijnse understands how its network is used by all users and locations[/caption]

Pet Lovers Deploys 100-site SD-WAN, Eliminates Firewalls with Cato Cloud Challenge: How to Connect and Secure 100+ Stores Easily and Affordably Like many retailers, Pet Lovers needed an effective way to secure its stores and franchises. The spread of massive ransomware outbreaks, such as NotPetya, concerned David Whye Tye Ng, the CEO and executive director at Pet Lovers. Pet Lovers had already connected and secured traffic between stores with an Internet-based, virtual private network (VPN). Routers at every store directed point-of-sale (POS) traffic across the IPsec VPN to firewalls in the company’s Singapore datacenter housing its POS servers. But other than the datacenter and four stores, none of the locations had firewalls to protect them against malware and other attacks. Protection was particularly important as employees accessed the Internet directly. Adding firewall or unified threat management (UTM) appliances at each site would have been cost prohibitive and taken far too long to deploy. For those sites equipped with firewall appliances, managing them was “tedious and slow,” says Ng. All security policy changes had to be implemented by the local service provider running the firewalls. He considered connecting the sites via an MPLS service. But following a “meticulous” assessment of the costs and offerings of the managed service, he says that neither MPLS nor deploying security appliances could meet his needs for low-cost, rapid deployment, and ongoing management. “We did not want to be held hostage to the costs of MPLS and wanted a security solution that would be scalable and simple,” David Whye Tye N. Cato Cloud Simplifies Security and Networking at Scale Ng had heard about Cato Cloud and it’s built-in Firewall as a Service (FWaaS). He decided to take a closer look. Cato’s FWaaS includes a next-generation firewall (NGFW) as well as other security services, such as secure web gateway (SWG), Advanced Threat Prevention, and network forensics. All security and networking services are integrated together, enabling Ng to define rich policies tapping security and networking information from across Cato Cloud. With Cato Cloud, Ng could simplify his implementation. Pet Lovers would be able to aggregate traffic from all stores, its datacenter, and, if necessary in the future, mobile users and cloud infrastructure into a common SD-WAN in the cloud. And since Cato Cloud includes FWaaS, Ng would be able to secure everything connected to Cato Cloud, avoiding the costs of deploying and managing new and existing firewall appliances. [caption id="attachment_6666" align="alignnone" width="500"] Pet Lovers gained visibility into all of its traffic with Cato Cloud[/caption] Delivering security from the cloud also appealed to him. Ng had seen first-hand the limitations of UTM appliances. Their feature lists look great on paper. But increased traffic loads or enabling compute-intensive features can force unexpected appliance upgrades. With the cloud’s near limitless resources, he did not anticipate such problems with Cato Cloud. The cloud also brought another advantage — simplicity. As a result of maintaining the SD-WAN and security functionality in the cloud, deployment of Cato Cloud edge is trivial. That’s crucial when you’re talking about rolling out 100+ international locations. Rapid Deployment, Complete Visibility After some initial testing, Ng decided to roll out Cato. The deployment began with a handful of stores, but then was expanded to the rest of the network. Deployment has exceeded his expectations. “We were able to deploy two to three stores per day!” he says. Converging his entire security and networking infrastructure has made management easier: “Hooking up all my stores in eight countries and being able to precisely and clearly manage them from a single dashboard was a major win for going with Cato,” David Whye Tye N. Unlike a managed service, Cato Cloud allows him to configure and change security as necessary. “Before security management was tedious and slow. Now, we can implement policies immediately by ourselves,” he says. Part of that has to do with simplicity and sophistication of security interface “I liked the complete visibility of our security on the fantastic dashboard,” he says, “A security dashboard must be clear and easy to manage. Cato got this one right.” [caption id="attachment_6663" align="alignnone" width="399"] With Cato Cloud, Pet Lovers connects and secures all stores and franchises in one network[/caption] As a result, security has improved. “Before we were vulnerable and web access was wide open. Now we have tight control,” he says. Every project faces deployment challenges. But the Cato team “has been very responsive,” he says “and they work well with my team. People were another key success factor in choosing Cato.” Cato: Good Enough to Recommend to a Friend Looking forward, he’s anticipating connecting the rest of his locations to Cato Cloud. Many of those locations are franchises, which can normally be problematic for retail IT teams as they lack control over the franchisee’s infrastructure. “It’s not an issue with Cato Cloud,” he says. “We control all of the security and networking policy infrastructure. They only need an Internet connection and deploy the Cato appliance, which we’ve proven to be ridiculously easy.” David Whye Tye N Overall, he says his experience has been “awesome” working with Cato. “It’s been a fast and painless implementation with a friendly and responsive service team. I would recommend Cato to a friend and that’s a big deal for me to say.”

Pharmaceutical Leader Replaces MPLS with Cato Cloud, Cutting Costs While Quadrupling Capacity Global MPLS Limits Centrient As with many enterprises, the IT team at Centrient Pharmaceuticals grew tired of the limitations of MPLS. Performance across the company’s 10-site, global network was for the most part “solid,” says Matthieu Cijsouw Global IT Manager at Centrient. But as the applications’ capacity requirements grew, increasingly the MPLS service was becoming congested. “Users noticed that MPLS was slow. It took a long time for them to open documents,” he says. The high cost of MPLS bandwidth made upgrading global bandwidth unrealistic. “MPLS was about 4x more than Cato for a quarter of the bandwidth,” he says. And bandwidth wasn’t the only problem. Agility was also limiting Centrient. It typically took him three to four months to move a location, a bit faster in Europe. “One time, we needed to move a sales office, and the MPLS connection was simply not ready in time. It led to operational issues and difficult workarounds,” he says, “Needless to say that was not appreciated by the business.” Centrient Evaluates SD-WAN Alternatives As his MPLS contract came up for renewal, Cijsouw started looking into SD-WAN. A technology partner recommended a combination of SD-WAN appliances, firewalls, and secure web gateways (SWG). But Cijsouw thought the solution would be too complex and was troubled by the dependence on the Internet middle-mile. “Internet performance from many regions, particularly China mainland, fluctuates significantly during the day,” he says. “We wanted a middle-mile solution.” Global SD-WAN service providers, such as Cato, replace MPLS (and the Internet middle-mile) with an affordable MPLS alternative. The Cato Cloud Network is a global, geographically distributed, SLA-backed network of PoPs, interconnected by multiple tier-1 IP backbones. Cato dynamically selects the optimum IP backbone for every packet giving Cato Cloud better performance and uptime than any one of the underlying networks. But while Cato Cloud provides global connectivity at Internet-like prices that’s not the case for every global SD-WAN service provider. “The other provider’s service would have meant spending around 2x more than with the Cato solution and still not get any of the security services Cato offers.” After meeting with the Cato team, he decided to run a proof of concept (PoC). Cato Sockets, Cato’s zero-touch, SD-WAN appliances, were installed in three locations alongside the existing MPLS circuits. Firewall rules steered traffic from specific hosts onto the Cato Cloud. “We did load balancing, failover tests, and load tests and Cato passed them all,” he says. During the next phase, he put a production load on Cato Cloud to see if there would be any hiccups. Not only weren’t there any problems, but users noticed that applications were even more responsive, he says. Like many enterprises, there was initially some concern about moving the global backbone to a startup. “For a pharmaceutical company, it’s not very normal,” says Cijsouw. He convinced management of the Cato Cloud’s value and showed how he could minimize risk. “We migrated to Cato in stages, gaining confidence along the way,” he says, “Even with a full deployment, I can bring up a global, site-to-site VPN in two hours should something happen, but I don’t see that as a concern. Not only does Cato Cloud perform well, but the support Cato offers is insanely great. I never experienced such a fast response.” Centrient Switches from MPLS to Cato Cloud In the end, he decided to move all MPLS locations to Cato Cloud. “It only took us about a month,” Cijsouw says, “The actual cutover was done in 30 minutes.” Most locations had been equipped with 6 Mbits/s MPLS connections. He replaced those with two, and in some cases, three local Internet connections for an aggregate capacity of 20 Mbits/s per site, burstable to 40 Mbits/s. Datacenter capacity is even higher, up to 50 Mbits/s, burstable to 100 Mbits/s — enough for current usage. With Cato Cloud, Centrient gained deep visibility into network performance. The additional connections were dual-homed for maximum availability. To ensure complete redundancy in the physical layers (including wiring and ducting), Cijsouw followed best practices and connected sites to the Internet with separate technologies — typically glass fiber and radio connections. Not only has he reduced his costs, but with more capacity, his applications continue to perform as well, if not better, than with MPLS. “The voice quality of Skype for Business over Cato Cloud has been the same as with MPLS but, of course, at a fraction of the cost”, he says. “In fact, if we measure it, the packet loss and latency figures appear to be even better.” His connections into China also work equally or “even better” than with MPLS, he says. And with Cato Cloud, he gained greater visibility into his network. The reporting is very “accessible” with detailed statistics online usage, he says. A More Agile Future With Cato Cloud As Cijsouw looks ahead, Cato Cloud will afford him flexibility — and negotiating strength — in other areas of his network. His firewall appliances, for example, are coming up for renewal in a year. Besides providing site security, they also serve as his mobile access solution.  With Cato Security Services and Cato’s mobile client bundled with Cato Cloud, he could replace both and save on licensing and operational costs. “Today, we outsource firewall maintenance for about 25 percent of our networking budget,” he says, “With Cato that wouldn’t be necessary.” Overall, how would he summarize his Cato experience? “It’s been really excellent,” he says. “Product delivery, support have all been there. With Cato Cloud, not only did I receive a more agile infrastructure, but I also received an agile partner who can keep up with my needs.  We operate faster because of Cato.”

Paysafe Replaces Global MPLS Network and Internet VPN with Cato Cloud Full Meshing: A Challenge For Many Enterprise Networks All too often, WAN transformation projects reduce costs and improve IT agility so significantly that end-user benefits can be missed. But with the Paysafe Group, user impact was precisely what drove the need for a better WAN. Executives and users at the global provider of end-to-end payment solutions were fed up with being unable to access corporate resources when visiting Paysafe offices. User mobility became a strategic imperative. “We wanted the same access everywhere,” says Stuart Gall, Infrastructure Architect in Paysafe’s Network and Systems group. “If I’m in Calgary and go to any other office, the access must be the same — no need to RDP into a machine or VPN into the network. You can do that only with network standardization.” The problem arose primarily due to the lack of a fully meshed network. Various mergers and acquisitions (M&As) left Paysafe with a backbone built from MPLS and Internet-based VPN, making direct connectivity between all locations unfeasible. Establishing a fully meshed Internet VPN would have necessitated 210 tunnels, Stuart notes, requiring an enormous amount of time to build and monitor. Instead, Paysafe administrators ended up “VPNing” only into the locations needed for normal user connectivity. Without a full mesh, Active Directory (AD) operation became erratic, with updates from the distributed AD domain controllers propagating too slowly, if at all. Users found themselves locked out of some accounts in one location but not another, explains Stuart. The VPN configuration in particular complicated IT. “Invariably we’d have someone at a site needing connectivity to a different location, forcing a reprovisioning process. That could take weeks of work with approvals and all.” Users ended up relying on the company’s mobile VPN solution, which just didn’t sit right with Stuart. “If someone moves to a different office and has to use a mobile VPN, our technology has failed,” he says. “Users might just accept that as normal, but as an engineer, I know we need to be better. We need to go that extra mile; we need that ‘wow factor.’” Rolling out new locations was no better with MPLS. “Deploying MPLS sites was a nightmare. Depending on where you are in the world, you could require two to three months of lead time,” he says. Internet-Based VPN Not the Answer Stuart knew he needed a single, fully meshed backbone, and neither MPLS nor Internet-based VPN was the answer. Moving all locations to MPLS was too expensive. In fact, MPLS’ high costs were so well known that business leaders expected the same from SD-WAN. “They were shocked that we could dismantle MPLS, add more than twice as many locations, and save money,” he recalls. The opposite — transitioning all offices to an Internet-based VPN — was unrealistic. Aside from the configuration and implementation challenges, Stuart didn’t think Internet-based VPN would meet his performance requirements. “Latency proved significantly higher with an Internet VPN than with Cato — maybe that’s because of the Internet, or maybe it’s the encryption engine.” Relying on his routing and Dynamic Multipoint VPN (DMVPN) wouldn’t work either. For one, it meant being locked into one manufacturer for networking equipment at every location. Deployment would be an issue as well. “Configuring a simple DMVPN is straightforward, but setting up a DMVPN that fails over to secondary ISPs with the level of service you get with Cato is quite complicated,” he says. “You can easily have unexpected flaws, such as failover scenarios. This is especially true at the hub site, where you might take out the entire network.” Paysafe Evaluates SD-WAN Architectures SD-WAN was the logical option, and Stuart ended up evaluating the leading SD-WAN appliances and services, including Cato Cloud. “The biggest eye-opener for me was that there are two completely different technology architectures called ‘SD-WAN,’” he says. “Some don’t provide the infrastructure, only doing intelligent routing over your own network or the Internet, while others include the infrastructure.” For Paysafe, the answer was obvious: “We didn’t want a routing management solution; we wanted a core network with lower latency.” As for competing SD-WAN services, Stuart had concerns about security, availability, management, and cost. “One global SD-WAN service provider was twice as expensive as Cato,” he says. Stuart also preferred how Cato enrolled new locations. “The way the other SD-WAN service provider handled security was appalling,” he says. “Cato’s security background comes through.” Cato had other advantages as well, such as availability. “In the worst-case scenario, if there were a countrywide outage, my Cato locations would automatically reconnect to the closest point-of-presence (PoP). Latency might be screwy, but at least we’d have connectivity. The other provider? Its locations would be down and require provider intervention to fix.” With Cato, Stuart can monitor, manage, and troubleshoot outages and problems himself. “The other SD-WAN service was managed only by the provider. There’s a nice visibility console but no control. Any changes require opening trouble tickets with the provider; it’s very carrier-like. With Cato, we can fully manage the SD-WAN ourselves or tap its support.” Paysafe Adopts Cato Ultimately, Paysafe replaced its MPLS services and Internet-based VPN with a single, converged network — the Cato Cloud. The company has connected eleven sites to Cato with three on the way and another seven to go. With Cato, performance is much better than with Internet VPNs and on par with MPLS — at a fraction of the price. “During our testing, we found latency from Cambridge to Montreal to be 45% less with Cato Cloud than with the public Internet, making Cato performance comparable to MPLS,” he says. [caption id="attachment_6679" align="alignnone" width="2065"] Data transfer testing between Montreal, Cambridge, and India also showed impressive results. Cato Cloud doubled the throughput of MPLS and Internet-based VPN.[/caption] [caption id="attachment_6678" align="alignnone" width="1747"] Alternative network: MPLS (to Cambridge); VPN (to India)[/caption] Beyond performance, Paysafe has seen significantly faster deployment. “Instead of spending weeks bringing up a new site on MPLS or even a VPN, Cato Socket deployment takes no more than 30 minutes — including unboxing.” Full-meshing problems are no longer, as all locations instantly mesh once they connect into Cato Cloud. Stuart has discovered Cato’s incredible flexibility too. With native cloud support, Cato Cloud easily extends to IaaS or SaaS services. “Cato’s EC2 connector is easy to set up, and I expect to use it to connect our AWS datacenter into the Cato SD-WAN,” he says. Cato also natively optimizes the delivery of cloud applications. “We use Office 365 and plan to connect the India office and possibly North America via Cato as well.” Cato flexibility is particularly helpful with M&As, where new networks require assimilation into the WAN. “Previously, when migrating new users from an M&A onto our network, there would be months of frustrating inability to access certain resources,” says Stuart. “We needed time to add the necessary connectivity. Overlapping IP ranges meant there were resources that couldn’t be immediately advertised,” he explains. “With Cato, we can easily tweak the routing at the host level to compensate, giving new users the access they need from day one.” Whether he’s merging networks or just managing a global one, Stuart benefits from Cato’s easy support model. “I love the way I can open a ticket by clicking a button in the portal,” he says. Paysafe had already adopted security and mobility solutions before hearing about Cato, but those capabilities are built into Cato Cloud, giving Stuart peace of mind and room to grow. “Cato’s mobile VPN is my secret BCP [business continuity plan] in my back pocket. If my global network goes down, I can be like Batman and whip this thing out.” Bottom Line The bottom line is that Cato is good for, well, the bottom line. “With Cato,” says Stuart, “we can connect our twenty-one sites and still save 30% on costs compared to our six-site, MPLS network.” Cato pricing also provides flexibility. “Cato lets us move bandwidth within the same billing domain. If I close a location, I don’t lose the outstanding funds for that term. I just allocate the paid bandwidth to a different location. With MPLS, I’m locked into a three-year contract at each location, even if I just have to move one down the road.”

Salcomp Replaces Global MPLS, Firewalls, and WAN Optimizers With Cato Cloud Salcomp Finds Global MPLS Too Unreliable and Rigid When you’re a primary manufacturer to major mobile phone companies, uptime and security are critical. A small hiccup in your production line could be disastrous for your customers — and your business. All of which might sound like a good reason for sticking with expensive managed MPLS services until you consider that you’re also being evaluated on budget management. Such was the challenge for Ville Sarja. The seasoned CIO was responsible for the aging IT architecture at Salcomp, a global manufacturer of adapters for electronic devices, originally part of Nokia and now a primary supplier to Samsung and other leading mobile phone companies. “The IT template hadn’t changed in nearly 20 years since Nokia spun out Salcomp”, says Sarja. During those two decades, though, Salcomp’s business had changed significantly. The headquarters and the datacenter were still in Finland, but most manufacturing occurred in Brazil and the Asia Pacific. Offices had given way to more mobile users, particularly in China. The cloud had become far more popular, something Sarja was looking to leverage, and video conferencing had become the norm. Optimizing Network Spend a Must for Salcomp None of which sat well for Salcomp’s networking architecture. The company’s global MPLS network, which connected manufacturing plants in China, India, and Brazil with the datacenter and headquarters in Finland, consumed a “significant portion” of Salcomp’s IT budget, says Sarja. MPLS: Not Suited for the Future Global MPLS bandwidth was limited, which would prove problematic as traffic requirements grew. To address the situation, Salcomp deployed WAN optimizers at each end of his MPLS connections, but the WAN optimizers were challenging to configure, he says. MPLS is also poorly suited for taking advantage of cloud services, which Sarja knew Salcomp wanted to leverage. “We wanted to be more cloud compliant, which was not compatible with the infrastructure in place,” he says. Global MPLS’s Last-Mile Availability Problems And for all of its touted uptime and availability, MPLS’s dirty secret remains the last-mile connectivity problems that arise on global connections. Unable to control last miles outside of their regional networks, MPLS providers must rely on local third-party partners —  often with mixed results. For just that reason, Salcomp equipped locations with backup connections — local Internet access and firewall clusters running antimalware and IPS. “In Brazil, we had a problem with an MPLS circuit, and the office was out of service for six months. Luckily we had Internet redundancy, so we were able to direct traffic to the Internet and bandwidth and connectivity were good enough. Our MPLS provider was unable to resolve the problem,” he says. MPLS’s Long Installation Times The last straw was MPLS’s rigidity around new site installation. Says Sarja “In terms of deploying new sites, which was something we’re doing more in the past year, MPLS takes up to six months to have a circuit in place. That’s not very critical because it’s a site to be established and we can plan but regardless the inflexibility was there,” he says. Performance Testing Shows Cato Blows Away MPLS Two years previously, Sarja had begun studying SD-WAN. Two years later, he returned to that effort, determined to find an MPLS alternative. “We thought an appliance-based SD-WAN solution was the most promising approach, but the SD-WAN reseller was unable to get our POC started. There were cooperation issues with the SD-WAN vendor, and we were caught in the middle of everything,” he says. That’s when he learned about Cato. “I liked the fact that the Cato service used Cato’s own technology,” Sarja says, “It makes your life easier when you’re working with the vendor. The knowledge is there, and logistical problems are resolved beforehand, making onboarding much easier.” Sarja and his team decided to run a POC, testing Cato Cloud from Salcomp’s Finland datacenter and locations across China, Taiwan, and India. They deployed a Cato Socket at each location with policies in the local firewall steering the pertinent traffic to Cato. Three types of tests were run: Sharepoint file transfers and file sharing. Salcomp wanted Cato performance to be at least as good as the current 10 Mbits/s, MPLS connection or other SD-WAN providers over the Internet (also operating at about ~10 Mbps). SAP user experience. Salcomp didn’t want any degradation in SAP experience as measured by running reports and in the time taken to execute transactions. Office 365 performance. Uploading and downloading of files from Sharepoint Online in the Hong Kong region across Cato was to be compared against the regular Internet and other Internet-based SD-WAN solutions. What Sarja found impressed him. Data throughput on Sharepoint file transfer testing from Taiwan to Finland with Cato was 30x better than MPLS with a WAN optimizer; file sharing improved by more than 40x. Within China, Sarja found downloading a 116 MB Excel file across the site’s 20 Mbits/s connection to Cato Cloud on average took 83 seconds. Across MPLS? Download times were 20x longer. Latency also dropped by 13% when tested from China to Finland across Cato. And not only was performance as good if not better than MPLS, but Cato deployment was much quicker. He could use any Internet line to connect locations to Cato Cloud, eliminating the six-month deployment times required for MPLS. Salcomp Replaces MPLS with Cato Cloud Sarja decided to move forward with a phased migration of Salcomp’s production line onto Cato. Initially, the team connected the datacenter in Helsinki to Cato. Afterward, they migrated the Indian and Brazilian locations. During the final phase, Sarja moved over the China locations of Shenzhen and  Guigang, as well as the Taiwan location in Taipei. Across all locations, he replaced the routers, firewall appliances, and WAN optimizers with redundant Cato Sockets configured in high-availability mode. “With just one architecture, not three, we can make changes in a few minutes that required weeks with our MPLS provider,” he says.  Without local firewalls, Sarja relied on Cato Security Services to protect against network-based threats. Cato Security Services is a fully managed suite of enterprise-grade and agile network security services built into Cato network that includes Next-gen Firewall (NGFW), Secure Web Gateway (SWG), Advanced Threat Prevention, Cloud and Mobile Access Protection and Network Forensics. Testing done by a leading mobile phone manufacturer vetted Cato’s security, allowing Sarja to extend an IPsec tunnel from his Cato network to the mobile phone provider’s premises. Since the deployment, Sarja was able to show far better budget management. He’s playing less per megabit for bandwidth and eliminating all of those appliances at each location has saved him a bundle. “We’ve reduced our networking opex by 50 percent and more since moving from MPLS to Cato,” he says. Salcomp IT: Ready for Today and Positioned for Tomorrow With the transition to Cato, Sarja is better positioned to address new IT challenges facing his organizations. He’s planning a Microsoft Office 365 deployment and expects to connect his Office 365 instance to Cato. Cato dramatically improves cloud performance, routing traffic along the optimum path across the Cato backbone to the Cato PoP nearest to the customer’s cloud instance.  Cato PoPs collocate in the same physical datacenters as the IXPs of Microsoft, AWS, and other leading cloud providers, making it a short hop across the datacenter’s local network into the cloud provider. It’s like having premium, direct cloud connections from 40+ locations across the globe — for free. Cato’s range of built-in optimizations also benefit unified communications. “Video quality with Microsoft Lync from China has been very good,” he says.  Sarja is also looking at equipping mobile users with Cato’s mobile client to connect to Cato Cloud, once their existing VPN licenses expire. Overall, Sarja says he’s received the best feedback any CIO could want from his users — nothing. “Users just aren’t complaining any longer,” he says. And that’s a very good thing.

Standard Insurance Uses Cato for Cloud Migration and Digital Transformation Many enterprises are undergoing a digital transformation — reinventing the way they do business to become more innovative and more responsive to customer needs. This often entails migrating applications to the cloud and increasing business agility by simplifying the IT infrastructure. Both were undoubtedly goals for Standard Insurance whose digital transformation initiative became so successful that ICMG, a leading full-service enterprise and IT architecture firm, awarded the company winner of “Best Architecture for IT Infrastructure” in 2018. Standard Insurance, a nationwide provider of insurance and financial products in the Philippines had initiated a multiyear digital transformation project in 2016. The company was shifting to online selling and needed to evolve its aging backend software infrastructure. The system served the entire process of the insurance business, from application and proposal to policy issuance, administration, and claims—in other words, the lifecycle of the company. The new, custom-developed platform, though, still ran in the company datacenter. A system failure would represent an existential threat to the company; moving the insurance software to AWS became a priority. Insurance agents and employees across sixty branches VPNed into the Makati headquarters to access the company’s insurance application. Those sites were secured by branch firewall appliances connected by telco-provided VPN services. But the lack of telco coverage meant that Alf Dela Cruz, First Vice President, Head of IT Infrastructure and Cybersecurity at Standard Insurance, and his team had to manage multiple provider relationships to deliver comprehensive branch connectivity. It was a headache. Security was also a concern. The local firewall appliances needed to be upgraded, which was a constant expense, and were insufficient to protect the organization. After two ransomware incidents, the CEO demanded a dramatically improved security posture. The complexity of the firewall appliances also complicated site deployments. “With a hardware firewall, we had to copy information to every site and make sure it stays updated, and whatever changes we make at the head office need to filter out to every branch,” says Dela Cruz. In a Head-to-Head Evaluation, Cato Reduces Security Costs By Half The IT team intended to replace the firewall appliances with on-premise next-generation hardware appliances, but while awaiting delivery of the new hardware, Dela Cruz heard about Cato. “When we learned about the Cato solution, we liked the idea of simple and centralized management. We wouldn’t have to worry about the time-consuming process of patch management of on-premise firewalls,” he says. Cato connects all enterprise resources — locations, cloud resources, and mobile users — to a common, optimized global backbone, which today is built from more than 42 PoPs across the globe. With all traffic on the Cato backbone, Cato applies a common security policy to protect all resources. Next-generation firewall (NGFW), secure web gateway (SWG), URL filtering, malware prevention — all are built into the Cato service. Cato MDR, a managed threat detection and response (MDR) service, offloads the resource-intensive and skill-dependent process of detecting compromised endpoints onto the Cato SOC. Standard Insurance put its hardware acquisition on hold to evaluate Cato head-to-head. “We would easily spend double in terms of what we spend for Cato,” he says. “The cost of the total solution Cato is providing us – including the centralized management, cloud-based monitoring, and reports – matches the cost of the firewall appliances alone. Then we would still need to add in the cost of appliance management and the advanced protection and other components of the firewalls.” Cato Simplifies Network and Security Infrastructure If Cato intrigued the Standard Insurance team with its low cost, Cato won the day with its AWS connectivity. Cato’s points of presence (PoPs) are co-located in the same physical datacenters as the IXPs of Amazon AWS, Microsoft Azure, and other cloud datacenter services, providing fast access to cloud resources across cloud providers and global regions. “Once we migrated our critical applications into the AWS cloud, we took Cato even more seriously because of their compatibility with the cloud network. This allows our branches to easily connect to the AWS cloud via the Cato network,” says Dela Cruz. Implementing Cato also allowed Standard Insurance to shorten deployment times. Dela Cruz and his team could eliminate all branch firewalls and Internet-based VPNs, and instead, send a Cato Socket, Cato’s small SD-WAN device to each branch for a non-technical person can simply plug it in. Once the Socket connects to the Internet, the Cato network recognizes it, joining the Socket into the SD-WAN. The Socket inherits the global security policies Dela Cruz and his team have configured for the network. “We can set up a branch in minutes with Cato,” says Dela Cruz. [caption id="attachment_6558" align="alignnone" width="297"] With Cato, Standard Insurance connected all users, sites, and cloud resources into a single backbone.[/caption] Enforcing one set of security rules in the cloud for all users and resources makes secure much easier to manage and update. Policies can also be customized to meet the needs of individual locations, users and more from the Cato management console. “The Cato management console is very easy to comprehend,” says Dela Cruz. As for the users, Standard Insurance employees enjoy a better user experience. Previously, IPVPN bandwidth was limited to 1 Mbits/s. “With Cato we increased Internet bandwidth by 10x, significantly improving performance without increasing costs,” says Dela Cruz. Standard Insurance Looks Towards the Future with Cato Standard Insurance will continue with its broader transformation efforts. Initiatives planned include implementing single sign-on (SSO) for all of its applications and numerous application changes. As for the infrastructure, Standard Insurance is looking to roll out more mobile clients to bring more dealers and agents onto the network. “We are recommending Cato to our business partners,” says Dela Cruz. “We love that the solution is cloud-based, easy to manage, and less expensive than other options.”

CIAL Dun & Bradstreet Improves Networking and Security in Latin American with Cato The Challenge: Improve the Networking Infrastructure for Latin American Offices CIAL Dun & Bradstreet faced an all too familiar networking problem: integrating disparate operations. “When the acquisition closed, we were aware that some of the offices were in need of an upgrade of networking infrastructure,” says Yoni Cohen, Chief Technology Officer for CIAL Dun & Bradstreet. “In some places, the internet wasn’t fast enough, and this was a real impediment to business.” Centro de Información América Latin (CIAL) Dun & Bradstreet was launched when CB Alliance became the WWN Partner of Dun & Bradstreet International in Latin America’. CIAL Dun & Bradstreet is the premier provider of commercial trade credit and supplier risk management data and solutions across Latin America. Offices are based in Argentina, Brazil, Mexico, Peru, and South Florida, with additional personnel in countries throughout the region. CIAL was charged with creating a new network to unify this new company, and link it to its existing offices, including teams in Zagreb, Israel, and New York. “We wanted everything to be on one unified but secure network,” says Cohen. SD-WAN Reduced Network Access Costs, Increased Cross-Site Access to Applications Cohen began looking at an SD-WAN approach for several reasons. “I wanted a flexible, virtual network because I knew we would be adding offices and making other changes in the near future,” he says. “We weren’t locked into long-term contracts for the MPLS circuits, and this gave us the ability to lower our costs by installing broadband circuits in their place.” The cost of bandwidth – either MPLS or broadband – is considerably higher in Latin America than in other places. Anything CIAL could do to reduce costs would be helpful. “Having one major datacenter in the middle of Latin America didn’t seem like a particularly good approach. That’s why we started thinking about SD-WAN.” CIAL Alliance Tests Cato Soon after Cohen began his research on SD-WAN solutions, he read an article about Cato Networks and reached out to learn more. He liked what he heard and signed CIAL on as a Cato Networks customer. “It was a successful rollout, We worked with a network engineer from Cato who was critical to our ability to build the connections we needed,” And while he’s been able to reduce costs, cost reductions have not been the only benefit with Cato: “We’re getting far more for the money. Connecting our locations and the cloud, having the TLS inspection, having the antivirus at the network level — there’s a lot of value,” CIAL Dun & Bradstreet ended up with connections to the Dun & Bradstreet global data supply chain via VPN tunnels to various enterprise datacenters, tunnels to instances in Amazon AWS, along with the individual sites. [caption id="attachment_6550" align="alignnone" width="747"] CIAL Dun & Bradstreet connected to the global data supply chain via VPN tunnels to various enterprise datacenters, tunnels to instances in Amazon AWS, along with the individual sites.[/caption] Cato’s ability to prioritize WAN and Internet traffic has been particularly helpful. “Because Internet connectivity is expensive in Latin America, it’s prohibitively expensive to give people very high Internet connections. When you have 80 to 100 people sharing a connection, you need to prioritize the traffic.” Cato also gives CIAL Dun & Bradstreet the ability to segment traffic to prevent the spread of malware. “We use the WAN rules to segment traffic much more carefully,” Cohen says. “We use a TLS inspection service to prevent any viruses from spreading across our network. We added security rules around the type of traffic and type of pass-through, so it would be much harder for any malware to get from site to site.” CIAL Dun & Bradstreet Looks Ahead with Cato Cohen is looking for ways to get more out of CIAL Dun & Bradstreet’s use of the Cato Cloud. “One thing I’m considering is to have the Cato Client on all our devices to force them to come through the Cato Cloud. This is probably my next move with Cato,” says Cohen. The Cato Client connects mobile users to the Cato Cloud and provides secure and optimized access to the enterprise SD-WAN. All of the resources accessible from the locations, whether they’re in physical datacenters or in the cloud and Internet, can be made accessible to mobile users. And by connecting directly to those resources through the closest Cato PoP, mobile users performance if far better than traditional mobile VPN solutions. This has allowed the team to expand in new regions rapidly and organically. “I love what Cato is doing. They take an area that is complicated and make it easy,” says Cohen. “What we have done with them so far has made a meaningful impact on our ability to have a smooth transition to a unified company network and allowed this to be one thing that we’re not worried about.”