Manufacturer Replaces MPLS with Cato Cloud, Improves Performance and Security
Delays and High Cost Leave IT Frustrated By the Carrier Experience
As companies embrace the cloud, the classical hub-and-spoke configurations of MPLS often prove to be too rigid and ineffective. The automotive component manufacturer, a metal forming specialist, was no exception.
The number of computers at the metal specialist had nearly tripled in the three years leading up to its WAN transformation. The company was also moving to a cloud-based Plex ERP system, all of which made delivering predictable Internet access more challenging and more critical.
Uptime proved to be far from perfect. Brownouts — fluctuations in latency and loss caused by congestion on the MPLS network —were all too common. “The corporate office had a 20 Mbits/s MPLS connection, and then we shared 30 Mbits/s between all sites. If someone at corporate was downloading a file at 20 Mbits/s that only left 10 Mbits/s for everyone else and the network started to choke,” he says, “Quality of service (QoS) was too rigid to be of help and not really working.”
And though every location had redundant connections, continuous uptime proved challenging. MPLS routing proved to be a poor approach towards redundancy. “Automatic failover worked most of the time, but there were always problems,” says the IT manager. “It relied on pinging two or three guests, such as Google, the local interface, or one of the routes. If none failed, though, failover wouldn’t work even if our sites couldn’t access our datacenter.”
The carrier proved unable to help. “The carrier’s technicians were not experts in the products. Most of the time, our staff was more knowledgeable than the representative assigned to the ticket,” he says.
The carrier’s rigidity also complicated opening new locations. The carrier could only work with certain infrastructure providers. “The representative told me ‘I can’t get you fiber at that location’ and I was like ‘I already have fiber, what do you mean you can’t give it to me!’”
The network problems led to other headaches. The company runs a “deny all” policy at its firewall with exceptions made by user groups for fixed users. “The carrier’s firewall had a hard time identifying users correctly when the laptop went from wired to the backup wireless connection,” he says, “Their solution was for us to spend $5,000 more for a client-based authentication product.”
Overall, incorrectly identifying users was “the biggest failure” of the carrier approach, he says.
The Team Evaluates SD-WAN Solutions
The company knew leaving MPLS was critical and the team began assessing SD-WAN solutions. “We looked at a bunch of SD-WAN suppliers, but they kept passing us off onto their resellers,” says the IT manager, “We already had the experience of one reseller not understanding the technology. Trying the same approach again was the last thing we wanted to do.”
He also didn’t want to go with a carrier-managed SD-WAN service. “One SD-WAN supplier sent us back to our carrier to purchase a carrier-managed SD-WAN service. It was insane,” he says, “I hate that carrier right now and am trying to fire them, and I should go back to them?”
He had heard about Cato and was intrigued by Cato’s ‘easy’ experience. “I liked your vision and support model,” he says.
Unlike carrier-managed SD-WAN, Cato Cloud is a cloud-based SD-WAN service fully developed by Cato. There are no third-party appliances to increase costs or complicate support; the technical expertise resides in Cato. The Cato Cloud converges security and networking, providing an affordable MPLS alternative, firewall as a service, remote access, and CASB functionality. And by being based on software-defined perimeter (SDP) principles, Cato Cloud allows fine-grained network access, protects corporate assets from network-based attacks.
“Cato seemed to have everything together,” he says.
Manufacturer Adopts Cato Cloud, Eliminates Performance Problems
Ultimately, the company ran a Proof of Concept (POC) between locations and settled on the Cato platform. He added Cato’s easy-to-deploy, SD-WAN appliances, Cato Sockets to each site. Rather than backhauling Internet traffic, the IT manager provided sites with direct Internet access protected by Cato Security Services, which include NGFW, IPS, and anti-malware inspection. The Cato Sockets establish secure tunnels to the closest Cato PoP, which inspects and forwards traffic either to company locations across the Cato Cloud or out to the public Internet.
Cato’s affordable price allowed the company to increase bandwidth at locations. The IT manager provided sites with 6 to 20 times more bandwidth for the same cost as the MPLS. “Before we had 30 Mbits/s out to the Internet (with a hub firewall). Now with Cato our Internet bandwidth per site went to 740 Mbits/s.”
As a result, performance improved significantly. “With Cato, our response time to our ERP system flattened out. Normally, we needed 20 to 30 milliseconds to reach the ERP system due to congestion across MPLS, and then as much as 500 millisecond for a response. After switching to Cato, response time averaged 30 milliseconds or less.”
Availability has also improved. Unlike MPLS, Cato measures the full path to the cloud for accurate, predictable failover. “Cato has true failover in the product,” he says. “Now if one ISP goes down we automatically switch over to the other one.”
Cato Cloud Improves Supply Chain, Third-Party Access
The combination of Cato’s flexibility and converged security services gave the company some unexpected benefits, such as allowing third-party access to his network.
With Cato Cloud, the company’s partners and suppliers connect to the same SD-WAN through an IPsec tunnel. Access is restricted to only the necessary resources as Cato Cloud adheres to SDP (Software Defined Perimeter) principals which call for authenticating users before showing them available network resources. With just a few minutes at the management console, the IT team can configure network-wide policies for fine-grained access. It’s “really awesome,” he says.
“Now, I can let our telephony vendor VPN into our network without compromising our security. They can only connect to the voice network and nothing more,” he says.
Cato Security Service also eliminated the problem of identifying users when switching from wired to wireless. “VPN connections can easily be restricted to only sites or hosts that they need to connect to which has increased our security capabilities,” he says.
Cato ‘Easy’ Experience Makes the Difference
Most of all, the IT manager liked how Cato handled support. “With Cato, it was the support people that really made us go, ‘You know they’ll fix it.’ The people are smart and intelligent and know what’s going on instead of just taking a ticket.”
It’s the combination of networking and security convergence with personal support that makes for Cato’s “easy” experience. And it’s that combination that made the difference for the company. “You can have the best product in the world, but if you can’t get customer service then you’ve got nothing,” he says. ”Our problem was the carrier resold firewalls with issues and only one or two people in the entire company seemed to have answers.”