The Challenge: Reliable, Secure Office Connectivity
Few organizations are as deadline driven as accounting firms, especially during tax season and around other tax milestones. They need fast, reliable networks connecting office locations with cloud applications, mobile staff, and each other to get their clients’ work done on time every time. At a time when most accounting applications have moved to the cloud, MPLS just doesn’t make it as a WAN solution anymore. It’s too rigid, expensive, cloud unfriendly, and in the case of a major North American accounting firm, unreliable.
The firm had connected 34 of its offices via MPLS. Security at each location was provided by firewall/IPS appliances, but they were used mainly for direct Internet access (DIA). “MPLS went down enough times that users became accustomed to firing up their mobile VPN clients for communication even though they were inside the office,” says the firm’s Senior Network Engineer. “When an interruption happened close to April 15 it was really disruptive, and disruptions cost money.”
“MPLS went down enough times that users became accustomed to firing up their mobile VPN client for communication even though they were inside the office,”
As corporate accounting applications moved to the cloud, more and more of the firm’s traffic became cloud based. “We had to go over the Internet for the cloud traffic, so it was getting to where nobody really liked MPLS,” says the network engineer. “The only reason we kept it as long as we did was for contractual agreements and QOS for voice and video.”
Until recently, the firm relied on on-premises VoIP from a well-known provider. However, when it moved to a major voice and videoconferencing cloud provider, MPLS looked even more obsolete.
“At that point it became clear: Why use a slow, expensive, less reliable circuit when you could get faster, more reliable circuits a whole lot cheaper?” The network engineer had heard “rumblings” about SD-WAN but didn’t know much about it and assumed the technology needed time to mature. When voice and video moved to the cloud, he decided to take a good look. “My feeling was that there is no such thing as genuine QOS over the Internet. I was looking for a platform that would handle QOS as best as it could be handled.”
Firm Looks at SD-WAN Alternatives, Falls in Love with Cato
The firm went to its VARs and other partners for advice. One recommended another cloud SD-WAN provider and one recommended the Cato SASE platform. “He said, ‘Knowing your company like I do I think Cato would be a great match,’” says the network engineer. More people seemed to know about the other provider so he decided to try them first. “We wanted a solution that was simple, configurable, secure, and that offered some type of QOS,” says the network engineer.
The firm set up units in the datacenter and two locations and ran file copy jobs to see how fast and consistent the performance would be. It also tried various ways to “break” the network to see how easy it would be to use the management software to find the source of the problem. It wasn’t pretty.
“The other vendor’s software was too complex, with too many dials,” says the network engineer. “They also pointed us to either our existing security platform or another vendor for security. We didn’t like that.” Their partner security vendor’s interface was also complex. “Both were the types of GUIs you would have a lot of trouble with if you didn’t use them every single day.”
The company decided to run Cato through the same tests. It set up Cato Sockets at the datacenter and the same locations as it had with the other vendor.
Cato connects all global enterprise network resources — including branch locations, mobile users, and physical and cloud datacenters — into a single secure, global, cloud-native network service. With all WAN and Internet traffic consolidated in the cloud, Cato applies a suite of robust security services to protect all traffic, including anti-malware, next generation firewall, and IPS.
Connecting a location to Cato is just a matter of installing a simple preconfigured Cato Socket appliance, which links automatically to the nearest of Cato’s more than 60 globally dispersed points of presence (PoPs). At the local PoP, Cato provides an on-ramp to its global backbone and security services. The backbone is an affordable MPLS alternative, not only privately managed for zero packet loss and five 9’s uptime but also equipped with WAN optimization to dramatically improve throughput. Cato monitors network traffic and selects the optimum path for each packet across the Cato backbone. Mobile users run across the same backbone, benefiting from the same optimization features and improving remote access performance.
“We got pretty far with the first Cato installation without any help, and the few questions I had were answered quickly,” says the network engineer. “When it came to the other two locations, we didn’t even have to call Cato. It was so easy compared to the other vendor solution, which required a lot of tweaking. That’s when we started to fall in love with Cato.”
Compared to the other solution, the Cato file copy tests were much more reliable. “The consistency was amazing, almost like a flat line,” says the network engineer. “It really made Cato look good.” Cato’s management GUI was also much easier to use. “Cato didn’t have all the dials the other one and its security partner had, but it had all the controls that mattered,” says the network engineer. “And it was really simple, without all that distracting configuration to worry about.” He showed Cato to his risk and compliance team and they really liked Cato’s interface and capabilities too. “Setting up the network, firewall and other rules was really intuitive. And I love how I can go into the Cato portal, make some changes and watch them take effect in real time.”
Compared to the other solution, the Cato file copy tests were more reliable. “The consistency was amazing, almost like a flat line,” says the network engineer.
The network engineer was especially impressed with Cato’s event discovery feature. “Whoever designed that should get a raise. That’s the detail we’re after,” he said. The firm also sent Cato some service tickets. In most cases Cato called back within five minutes
It became clear that Cato would enable the firm to rid itself of both MPLS and its current related security infrastructure.
Easy Rollout, Lots of Reliability and Savings
The firm rolled out Cato to all the other locations that had had MPLS. “The deployment was so easy that in most cases the local receptionist was able to install the socket with a little help from a how-to with pictures we prepared in Microsoft Word,” says the network engineer. “We would get on the phone with them and just say, ‘do step one, now do step two, etc.’ In many cases it took five minutes.”
“The deployment was so easy that in most cases the local receptionist was able to install the socket with a little help from a how-to with pictures we prepared in Microsoft Word.
The firm installed a high availability configuration in the datacenter and didn’t have to consult Cato at all. An issue with a vSocket for Azure was fixed in time. “Every company and install will have a few problems, but Cato really took ownership of that one and kept us informed until it was resolved.”
The firm is also looking at using Cato’s mobile VPN capabilities down the road. “We love that Cato would give us IPS at the PC level, all tied into the Cato portal,” says the network engineer. “We could manage our offices and end users from one location. Why give the money to our current provider?”
Cato was also inexpensive compared to MPLS, particularly compared to upgrading and managing all the current routers and security appliances at the company’s locations. “We were going to have to upgrade all those appliances soon and now we don’t have to buy all that new hardware and licensing,” says the network engineer.
Cato was also more reliable. “We’ve had six or eight of those appliances die on us and it seemed it was just a matter of time before the others died too,” says the network engineer. “Why bother keeping them when Cato could do all that for us?”
It was great to be able to get rid of all that hardware. “Now that we didn’t have to do all that complex routing we could even buy switches at a lower license level, saving us $1,000 per local switch.”
Cato was also more secure. “With MPLS we had almost no office-to-office security. An internal security audit concluded we needed to improve that and since everything now goes through the Cato cloud we have.” The network engineer also finds the way rules are configured in Cato inherently more secure than that of his previous appliances. “With Cato you start by denying all traffic and then you build exceptions. With our previous solution it was the opposite, so sometimes we allowed traffic we didn’t mean to allow.”
In all the switch to Cato has been a great success. Says the network engineer, “It saved us money, it simplified our network, it made things faster and more reliable, and it gave us a lot of network insight.”