Firewall Appliances Complicate Site-to-Site Connectivity
Mergers and acquisitions have a way of creating havoc for IT professionals. Take, for example, the experience of one educational technology (EdTech) company. Over the span of two years, this company, who asked not to be named, had acquired roughly eight companies, each with different networking standards. “It was a disaster,” says the IT manager. “We had seven or eight different sets of standards in anything and everything in networking, including different models of firewalls.”
At first, he tried replacing those firewalls with “top-of-the-line SD-WAN equipment” from a major networking vendor that “probably cost us over $30,000 a year for three sites,” he says. But performance proved to be a problem with the appliance. “I had a gigabit connection to the Internet, yet my sites would not connect more than 100 Mbits/s.”
He put in a secondary system, a leading firewall appliance. When he saw performance exceed 100 Mbits/s, he moved all of his services to the firewall. But establishing site-to-site VPNs from each branch office to the central firewall in Fulsom proved to be a short-term solution. Managing seven separate branch firewalls, even from one vendor, involved multiple full-time jobs. The company’s distributed management system “didn’t do a particularly good job,” says the IT manager.
Site deployment was also complicated. “It didn’t let us see everything on a single-pane-of-glass,” he says, “You couldn’t just do one thing, click on a link and get your site connected to another site. You still have to modify multiple links from multiple locations to establish a VPN.”
Defining policies was also complicated. “If you get into the firewall rules between the sites you’re destined to have problems. The rules were continuously conflicting because of our naming structure. Three network engineers might call the same site slightly different names (such as “Seattle HQ” instead of “Seattle ”). And when you log-in next time, you only see one named instance, not an IP address. Instead of telling the system ‘I would like an RDP connection’ in a relatively English way and ‘don’t allow file transfers ‘you had to dig deep into every site and every port and make them match.”
Activating processor-intensive features on firewalls can also impact performance. “Every time we enabled monitoring on our firewall, performance went to a tenth of the Internet speed. In the headquarters, we had a 1 Gbit/s link, but when we enabled logging, we couldn’t even reach 100 Mbits/s.”
As for mobile user performance, the IT manager says he regularly had to field user complaints about poor performance. “All across the world — India, Africa, and Southern America — our main connectivity point has been to the headquarters in California. So users in India trying to access websites in India had their traffic cross the globe twice — first to the headquarters in California and then back to India,” he explains, “The same is true in New York. A user from New York browsing the New York State University site, for example, must first send traffic to California only to cross the Internet back to New York.”
The so-called “trombone” effect became a significant cause of Internet performance complaints. And direct Internet access from each office wasn’t an option; the headquarters’ IP had been whitelisted for access to multiple departments, explains the IT manager. Traffic sent directly from branch offices would have been blocked.
The EdTech company ended up pushing all Internet traffic through the headquarters’ firewall, creating a pricey chokepoint. “With 300 or 400 additional users than what our system is designed for, I had to choose between increasing bandwidth from 1 Gbits/s to 10 Gbits/s and doubling our price or supporting fewer users.”
Cato: The Global SD-WAN Service That Connects Sites, Mobile Users, and the Cloud
Frustrated by his experience with Internet-based VPNs, the IT manager began looking for an alternative solution. Extending his VPLS implementation globally wasn’t an option. “The international connections are really expensive. They ask for an arm-and-a-leg — $50,000 a month. And the speeds that we require aren’t available. You can get 5 Mbits/s connection for couple thousand dollars, but we need 100 to 200 Mbits/s.”
He decided to revisit SD-WAN with an eye towards ease-of-use and performance. “We wanted a usable system out-of-the-box that didn’t require us to send for a week-long training,” he says, “I wanted my CFO to be able to manage and see what’s going on in the network. And I didn’t want to tell him how to browse through the screens to see what’s going on.”
The IT manager says he spoke with “every single possible SD-WAN provider” before coming to Cato. He particularly liked Cato’s global network. “That [the global network] was huge for us. We didn’t want to connect from our site to another site directly across the Internet. The public Internet is, well, the public Internet.”
He considered another global SD-WAN backbone provider but rejected them for several reasons. “Number one was the client VPN. They wanted to connect the clients to each office separately, similar to our firewall connections. The approach didn’t make sense to us. I don’t want to connect my East Coast users to East Coast and West Coast users to West Coast firewalls.”
What’s more, the provider required the EdTech company to purchase its last mile service. “Their system didn’t seem to be fully compatible with what we needed to do,” he says, “They wanted to sell me the last-mile carriers, and I already have multiple new connectivity contracts signed.”
Cato Adoption Simplifies Deployment and Improves Performance
The company decided to deploy Cato, and today has connected 13 sites and more than 1,100 mobile users to its Cato instance. Site installation has become much easier. The ability to use a wide a range of last mile services has also given the IT manager greater deployment flexibility. “Instead of buying super-duper fiber connections, now I’m able to buy a coax cable from one provider and fiber from another, combine them, and still achieve tremendous and reliable speed. If either of them goes down, I’m not losing anything other than, maybe, a slowdown in connectivity.”
Users are seeing better cloud and Internet performance now that they no longer need to backhaul Internet traffic to California. Cato mobile client automatically sends a user’s traffic to the nearest Cato PoP, where Internet traffic is sent directly onto the public Internet. Cato has more than 40 PoPs worldwide.
The EdutTech company’s network experience is also more consistent with Cato than with its Internet-based VPN. “When we’re connecting to India or Canada, we can see traffic has a more stable connection with Cato,” he says.
Case in point, SSL/TLS interception. “With firewall appliances, you install certificates from your firewall and only then you realize that when your user goes to another site, you again need to install another SSL certificate at that appliance,” he says, “With Cato, we were able to install a single certificate globally so we can do SSL decryption and re-encryption.”
Cato: So Simple It’s “The Apple” of SD-WANs
But most of all, the IT manager liked Cato’s ease-of-use. “Cato is the Apple of SD-WANs. You give an iPad to a one-year-old and watch him browse through the apps. That’s what I see with Cato. As soon as my network engineer logged-into the management system, he was a master in 10 minutes.”