Challenge: How to Run Lean and Still Deliver Agile, Effective Security and Networking
It’s an all too familiar problem: IT is called to support more users and deliver more services without increasing budget. With MPLS and firewall appliances that might have seemed like mission impossible. The sheer complexity of the traditional network infrastructure almost requires IT to maintain networking and security specialists on staff, not to mention an extensive investment in infrastructure, limiting cost reductions and constraining efficiencies.
But new technologies, such as SD-WAN as a service (SDWaaS) and firewall as a service (FWaaS), are enabling IT to operate far leaner than ever. Just ask Arlington Orthopedics where the network nearly doubled in size without having to expand its IT team.
“It was obvious to me that I had to focus my resources,” says George McNeill, director of I.T. for Arlington. “I needed my infrastructure to be as lean as possible. This way we could invest in business analysts or other customer-facing roles and technologies not internal IT roles, such as networking and security specialists.”
But the Arlington network was anything but lean. Arlington spent $10,000 per month for the 100 Mbits/s MPLS service and connections were still “choking out,” he says. MPLS’s infamous deployment times also meant he needed a 90-day window for deploying new offices — far too long for the firm.
The existing firewall appliances were also sucking up resources he didn’t have. “Firewalls are complicated by default, but they’re even more complicated when set up by someone else who’s no longer with the company and with his or her own ideology and thought,” he says.
Troubleshooting the performance problem that was “choking” his network wasn’t easy. The company’s office and regional networks were flat, layer-two subnets. Firewall appliances at each location were connected by meshed, point-to-point, virtual private networks (VPNs). Servers located in Arlington were accessed by the branch locations. George knew that some locations had performance problems, but diagnosing them was very difficult. “We could see the traffic, but figuring out the source of the problem was impossible,” he says.
And with IT resources spent keeping “the lights on,” other projects had to be pushed to the side. Disaster recovery (DR) was one such example. “I could have set up a DR site using a site-to-site VPN,” he says, “But then I would have to put a whole lot of work into the effort and still have a single point of failure.”
Cato’s “Easy Experience” Simplifies SD-WAN Adoption
George had heard about the cost savings of SD-WAN from a local provider. During his research, he stumbled on to Cato and how Cato Cloud, Cato’s SD-WAN as a service, combines SD-WAN with FWaaS. He decided to trial Cato Cloud.
“I expected the company to take a month to get me equipment when two days later, I received two Cato Sockets (Cato’s zero-touch, SD-WAN appliances), preconfigured for installation.”
Within 10 minutes the Cato Sockets were installed and the Cato solution was working. “We had the whole shebang for a month. A fully functional, free trial for a month, to verify that it works. Apparently, that’s not very common with SD-WAN,” he says.
For his due diligence, George went back to the initial provider. Instead of Cato’s converged secure SD-WAN as a service, the provider offered a managed service integrating third-party, SD-WAN appliances and firewall appliances. The result was a complex, heavy, and cumbersome environment.
It was the classic difference between traditional, appliance-centric, managed services and the elastic, software-driven cloud all of which led to serious adoption and configuration problems for George. “The provider wanted me to buy without a trial. What person in his right mind would use a service without a trial?” he says.
“I was on a call with 10 of their people, and they said, ‘Okay we’re going to replace your firewall.’ I said ‘WHAT? No, you’re not!’ Replacing the firewall or placing the SD-WAN appliance in front of the firewall would have meant reconfiguring his entire site-to-site VPN just for a trial.”
“When I told them that they needed to place the appliance alongside the firewall. Their response was ‘that’s complicated.’ One dude from Cato figured out the problem in five minutes you mean your entire team couldn’t get it to work?” he says. “After a month, the reseller still hadn’t given us the trial.”
Arlington Deploys Cato in Minutes
In the end, George went back to Cato. “Yes, Cato met my technical requirements, but the reason why I returned and am staying with Cato is that it made buying SD-WAN so simple.”
Rather than ripping-and-replacing the firewall, Cato allowed George to extend the life of his firewall and transition off as needed. External traffic could be sent to a Cato Socket sitting alongside the existing firewall. The traffic is secured by the Cato Security Service built into Cato Cloud Network. Cato Security Services include next-generation firewall (NGFW), secure web gateway (SWG), and IPS. As firewalls would reach their end-of-life or the limits of their capacity, traffic can be moved over to Cato. They can also be configured to “burst” to Cato Cloud.
Any implementation has its share of challenges and McNeil’s Cato deployment was no different. “We had a problem accessing Cato’s Dallas PoP [point of presence] at one point,” he says, “Yes, things were a bit slower, but our users didn’t notice it so much. The Sockets automatically migrated everyone to Cato’s Chicago PoP. But here’s the thing — we didn’t have to do anything. Our firewall rules remained the same, there was no reconfiguration, and Sockets automatically re-connected to the Dallas PoP when Cato resolved the problem.”
Better Management, Better Control with Cato
With Cato, George has improved agility, increased visibility, and control, and expanded his level of service to the business all without scaling up his IT team. Deploying new sites takes far less time. “With Cato, I am setting up an office before they have electricity to every socket,” he says.
McNeil can also diagnose problems more efficiently. By sending all traffic to the Cato PoP, McNeil gains a single-pane-of-glass into his network. He’s been able to use that tool to improve governance and IT’s interaction with the business.
“We found that Netflix was being streamed across the network during company hours. With our firewall, we would have only been able to block Netflix, and that was my knee-jerk reaction, but then whoever was watching Netflix would switch to another network.
“With Cato, I was able to identify the user watching Netflix and on which device — his cell phone. This way I was able to send him an email to hold off on movie time during company time. And if he keeps doing it without permission? I’m going to turn off Netflix for just that phone during work hours,” he says.
And he’s been able to address his disaster recovery issues. “Cato has made a separate disaster recovery site possible for us,” he says. Instead of configuring individual site-to-site VPNs for each location to a DR facility, now the DR facility sits like any other office on the same Cato Cloud-based WAN. “The Cato Sockets allow me a huge level of high availability,” he says.
Looking Ahead with Cato Means Keeping Lean and Effective
George has largely eliminated MPLS and the firewall appliances, transitioning most offices to Cato Cloud. He plans to migrate his last office to Cato once he’s finished his MPLS contract.
Eliminating MPLS will free up budget for other IT projects, such as increasing front-line support, but one thing George won’t need to hire is deep engineering expertise. “If we didn’t have Cato, I would have to expand headcount with a networking expert. Now I can put my resources elsewhere,” he says.
The bottom line? “Cato enables me to be more diligent. Questions I could not have answered because of a lack of time like ‘What are people doing on my network?’ I’m now able to answer.”