SD-WAN security

SD-WAN security

August 2019 saw a significant increase in the discovery of new malware according to statistics from AV-TEST – The Independent IT-Security Institute. In August alone, 14.44 million new malicious programs were registered by the institute, raising the total number of registered malware programs above 938 million. The sheer magnitude of these numbers provides a sobering perspective and helps quantify the threats facing enterprise networks.

As the WAN is the ingress and egress point of corporate networks, securing it is vital to mitigating risk and improving security posture. However, cloud services and mobile users make networks much more dynamic and difficult to secure than they were just a decade ago.

These fundamental changes in how we do business demand a new approach to WAN security. Appliance-based SD-WAN and MPLS (Multiprotocol Label Switching) simply aren’t designed to address these use cases. Fortunately, cloud-based SD-WAN offers enterprises a holistic WAN solution capable of meeting modern security challenges at scale with cloud-native software and security as a service.

But what makes cloud-based SD-WAN security and the security as a service model different? Let’s find out.

WAN Security and the Challenges Facing the Enterprise

A good starting point in explaining why cloud-native SD-WAN is so compelling from a security perspective is the shortcomings of two older WAN solutions: MPLS and appliance-based SD-WAN.

MPLS was designed to provide dedicated, reliable, and high-performance connections between two endpoints before cloud and mobile took over the world. However, there’s no encryption on MPLS circuits and any security features like traffic inspection, IPS (Intrusion Prevention System), and anti-malware have to be layered in separately. Appliance-based SD-WAN generally offers encryption, solving one of the problems associated with MPLS, but it’s effectively the same story after that. SD-WAN appliances are not security appliances. For example, to achieve the functionality of a Next-Generation Firewall (NGFW), you need to add a discrete appliance at the network edge.

For both MPLS and appliance-based SD-WAN, the “add appliances to add security” approach has a number of shortcomings including:

  • Complex and difficult to scale. The more appliances you add, the more complex the network becomes. Not only does each additional appliance require more time investment, it introduces more potential for oversights that lead to costly breaches. A single misconfigured appliance can create a major security risk and manual configuration is conducive to oversight and errors.
  • Expensive. Each discrete appliance must be sourced, licensed, provisioned, and maintained, and the cost adds up fast.
  • Limited when it comes to cloud and mobile. Appliance-based architectures are inherently site-focused. There isn’t a simple way to add support for cloud most appliances, both from a security and connectivity standpoint.

Why SD-WAN Security with Cloud-Native Software & Security as a Service is a Game-Changer

The cloud-native network infrastructure supporting the Cato Cloud takes SD-WAN security to the next level by integrating security features to the underlying WAN fabric. Built from the ground up with modern enterprise networks in mind, Cato’s cloud-native infrastructure eliminates the need for most proprietary hardware integrations by baking-in security features, reduces complexity by providing a single management interface, and reduces the technical expertise and time investment required for WAN management.

Additionally, inspections of TLS traffic occur at the PoPs (Points of Presence) on Cato’s global private-backbone helping to secure traffic to and from the cloud efficiently. Further, with Cato’s Software Defined Perimeter, support for mobile users becomes simple and scalable.

In short, by shifting security functions to the cloud, Cato’s delivers security as a service model that brings cloud scalability, economies of scale, and agility to SD-WAN security.

Enterprise-Grade Cloud-Based SD-WAN Security Features

Now that we understand the architectural advantages of cloud-based SD-WAN security, let’s explore some of the specific features that set Cato Cloud apart.

  • NGFW. Cato’s NGFW inspects WAN and Internet-bound traffic and allows implementation of granular security policies based on network entities, time, and type of traffic. The NGFW’s Deep Packet Inspection engine classifies applications or services related to a given traffic flow without decrypting payloads. This helps the NGFW achieve full application awareness and contextualize traffic for more granular policy enforcement.
  • Secure Web Gateway (SWG). Malware, phishing, and similar attacks that originate on the Internet pose a real threat to enterprise WANs. SWG focuses on web access control to prevent downloads of suspicious or malicious software. Predefined policies exist for a number of website categories and enterprises can input their own custom rules to further optimize web safety within the WAN.
  • Anti-malware. To deliver enterprise-grade anti-malware functionality, the Cato Cloud takes a two-pronged approach. First, a signature and heuristics-based engine that is updated with the latest information from global threat databases scans traffic for malware. Second, Cato has partnered with infosec industry leader SentinalOne to incorporate artificial intelligence and machine learning to identify unknown malware that may evade signature-based checks.
  • IPS. Cato’s Intrusion Prevention System provides contextually-aware SD-WAN security. Customers benefit from the scale of the Cato network in the form of a more robust IPS. Cato Research Labs use big data to optimize IPS performance and reduce false positives and false negatives.
  • Managed Threat Detection and Response Service (MDR). With MDR, enterprises can offload compromised endpoint detection to Cato’s security operations center (SOC). With MDR, enterprises not only reduce the support burden on in-house staff, they minimize one of the key drivers of damage created by malware: dwell time. With MDR, Cato’s SOC works to rapidly identify and contain threats as well as advise on remediation. The SOC team also provides monthly reports that help quantify network security incidents (here’s a genericized example report for reference (PDF)).

Cato Offers Modern and Scalable SD-WAN Security

As we’ve seen, the complexities and cost of sourcing, provisioning, patching, and maintaining a fleet of appliances are abstracted away with security as a service. Cloud-based SD-WAN offers a number of inherent advantages appliance-based SD-WAN and MPLS simply can’t deliver. This is because cloud-native software and the security as a service model enable Cato to take a converged approach to networking and security. As a result, users benefit from an information security, operations, and business perspective.

This point is driven home by Cato customer Jeroen Keet, Senior Network and System Architect at Kyocera Senco: “Companies moving to the cloud should have a closer look at Cato. The integrated connectivity, security, and intelligence make it an evolutionary step forward for all businesses. If you are willing to use all of the functionality Cato Networks has to offer, it will bring significant financial, functional and IT management benefits.”

If you’d like to learn more about how Cato is revolutionizing SD-WAN security or need help choosing a WAN connectivity solution that meets your needs, contact us. If you’re still not convinced and would like to see Cato Cloud in action, you’re welcome to schedule a demo to see it live.


  • What is SD-WAN?

    Software-defined Wide Area Network (SD-WAN) devices sit in company locations and form an encrypted overlay between themselves across any underlying transport service including MPLS, LTE, and broadband Internet services.

  • What are the benefits of SD-WAN?

    Reduced Bandwidth Costs: MPLS bandwidth is expensive. On a “dollar per bit” basis, MPLS is significantly higher than public Internet bandwidth. Exactly how much more expensive will depend on a number of variables, not the least of which is location. However, the costs of MPLS aren’t just a result of significantly higher bandwidth charges. Provisioning an MPLS link often takes weeks or months, while a comparable SD-WAN deployment can often be completed in days. In business, time is money, and removing the WAN as a bottleneck can be a huge competitive advantage.
    Reliable Network Across the Unreliable Internet: The ability to connect locations with multiple data services running in active/active configurations. Sub-second network failover allows sessions to move to new transports in the event of downtime without disrupting the application.
    Secure Communications: Encrypted connectivity secures traffic in transit across any transport.
    Bandwidth on Demand: The capability to immediately scale bandwidth up or down, so you can ensure that critical applications receive the bandwidth they need when they need it.
    Immediate Site Activation: Bring up a new office in minutes, instead of weeks and months that it takes with MPLS. SD-WAN nodes configure themselves and can use 4G/LTE for instant deployment.

  • What are the key trends driving SD-WAN adoption?

    Enterprises built their networks using legacy carrier services, such a managed MPLS service. These services are expensive, require weeks to months to activate sits, and require waiting for the service provider to make even the simplest of changes.
    SD-WAN offers an escape from that bringing agility and cost efficiencies to IT networking. The SD-WAN connects locations with several Internet connections, aggregating them together with an encrypted overlay. Policies, application-aware routing, and dynamic link assessment in the overlay allow for the optimum use of the underlying Internet connections.
    Ultimately, SD-WAN delivers the right performance and uptime characteristics by taking advantage of the inexpensive public Internet with the security and availability needed by the enterprise.

  • What are the limitations of SD-WAN?

    Lack of a global backbone: SD-WAN appliances sit atop the underlying network infrastructure. This means the need for a performant and reliable network backbone is left unaddressed by SD-WAN appliances alone.
    Lack of advanced security features: SD-WAN appliances help address many modern networking use cases, but don’t help with security requirements. As a result, enterprises often need to manage a patchwork of security and networking appliances from different vendors (Like CASBs) to meet their needs. This in turn leads to increased network cost and complexity as each appliance must be sourced, provisioned, and managed by in-house IT or an MSP.
    No support for the mobile workforce: By design, SD-WAN appliances are built for site-to-site connectivity. Securely connecting mobile users is left unaddressed by SD-WAN appliances.