SDWAN Vendor Series 2019 - Cato Networks
The Cato Cloud SDWAN solution connects your sites including branch locations, mobile VPN users, data centres and cloud service providers into a global, encrypted and optimised distributed network in the cloud. All WAN and Internet traffic is consolidated in the cloud platform and a set of security services are implemented to protect your network communication.
Cato has implemented a global network of software defined points of presence (POP). These are positioned <25 milliseconds from the customer access to ensure a consistent user experience. These software defined POPs are interconnected by a network backbone consisting of tier 1 providers that Cato provide and back with a service level. This is a key differentiation from the other vendors in the SDWAN market. What this means is customers no longer need to consider engaging global WAN providers to get that international reach and do not need to consider connectivity beyond the "first mile" access circuit. This provides a cost effective and efficient way of connecting geographically dispersed sites with consistent performance characteristics suitable for voice services and content delivery. Cato will even manage the "last mile" for you and this service is described as intelligent last mile management, ILMM service and extends Cato's solution to provide an end to end management.
The software defined platform is deployed at the door step of cloud service providers enabling quick and easy access to the key cloud service providers such as AWS, Azure and Google. Like most SDWAN providers the service is based on hardware and license. The license component is a subscription to bandwidth on a per site basis. The Cato platform boasts an extensive list of features and capabilities built with security as the main consideration and dynamically scales on demand. The platform provides policy-based routing based on application type and underlying link quality and applies multiple optimisation techniques to improve the performance of Internet last mile services.
Visiting the Cato website you immediately see Cato's marketing capability with a well designed website. Simplistic and informative and this is reflective of the SDWAN platform. Cato market their solution as a 6 in1 platform as seen in the diagram below but when you add the "last mile" management service that Cato now provide then it can be viewed as 7 in1.
The cloud-based management application enables organisations to configure policies, and monitor network activity and security events, from a single pane of glass. The Cato cloud platform is seamlessly and continuously updated by Cato’s networking and security experts, to ensure maximum service availability, optimal network performance, and the highest level of protection against emerging threats.
Evaluation and Assessment
Hardware or virtual appliances called "Sockets" is the main method used to establish SDWAN communication from a site. Others include IPsec from any firewall and IPsec from cloud providers such as AWS and Azure. Sockets do not require any staging and can be deployed direct to site. The administrator adds a site configuration and policy details in advance of connecting the socket to the network. As soon as the socket powers up and connects to the Internet the administrator receives a notification in the management console and has the option to accept or reject the detected socket. As part of the accept process the administrator assigns the site configuration to the socket which is then applied to the device.
For a 3 minute example unboxing the solution, please view the following video.
Cato provide what they call the "middle mile" and they optimise this for global connectivity for organisations of all sizes. This means even small business with some global sites can benefit from global tier 1 provider networks for predictive network performance. Adding the last mile management Cato take care of your end to end network integration and connectivity.
Internet is a key access method with a distributed cloud platform making the last mile accessible regardless of location. Cato provide some cool techniques to correct errors on the access using forward error correction (FEC) allowing the platform to correct on entry rather than waiting for traffic to traverse the full path to the destination.
Since Internet is their key access method, I think Cato sockets would benefit with built in 4G/LTE further simplifying the edge and removing the need for modems at wireless locations. Integration with private WAN such as MPLS to a Cato Socket also carries an overhead as all traffic is required to traverse the Cato cloud platform in order to enforce policy. For organisations requiring policy to be applied to private WAN then this can be implemented with on premise security solutions but doubles up on policy enforcement requirements. At time of assessment BGP was not available but although I have not tested this feature this is now a available and adds to the integration capability with networks such as MPLS VPNs.
Cato support connectivity to 3 ISPs which is fine for most implementations providing availability and redundancy. Cato do limit high availability (HA) configuration to being a passive device with VRRP the LAN side implementation of redundancy. The passive nature of the Cato HA implementation therefore means any directly connected links to the HA socket are unavailable during normal operation. There are methods of connectivity such as a layer 2 switch that can be implemented to separate the ISP links from the sockets and allow for better link access. This approach is also used by some other SDWAN vendors, however, I am not in favour of this as it adds a level of unnecessary complexity at the edge.
The ability to apply network address translation (NAT) is a common requirement in enterprises. Cato provides basic NAT capability for outbound connections to the Internet and provide the ability to add more than a single public address. However,at the time of assessment Cato like many of the SDWAN vendors are limited in customisable internal 1:1 and Many:1 especially integrating with overlay tunnels.
Aggregating links at the edge is a basic component of SDWAN but, not only aggregating the links for potentially more bandwidth capacity, being able to steer traffic based on policy and application performance characteristics places more control with the administrator. The administrator is now able to select how applications are served up to a location based on business policy. Cato provides an excellent implementation of policy based routing, application steering and optimising of application delivery. Multiple techniques including application QoS, bandwidth/link augmentation and forward error correction (FEC) are Cato's foundational features that provide end to end optimising. The following graphic clearly illustrates the optimisation features/techniques used at each stage in the communication path that all add to application performance characteristics as well as identify "black out" and "brown out" network conditions. The latter being the outage that is normally difficult to identify.
Cato deliver a platform that delivers on the expectation of a SDWAN solution with business driven policy but they have added advanced security capability that takes the platform to a whole new level. These features are all configured and managed from the same management console for that single pane of glass for both networking and security. Many of the other SDWAN vendors provide basic security features and to add advanced security features requires adding security components from the vendors security portfolio or integrating with 3rd party security vendor. It will take many vendor series to address all the security capabilities provided as part of the cloud platform and may be a blog for the future. The following advanced security features are available from the Cato cloud platform.
Next Generation Application Aware Firewall
Secure Web Gateway
Advanced Threat Prevention
Secure Cloud and Mobile Access
Threat Hunting System
The inclusion of these capabilities and site connectivity unifies an organisation's security policy providing a
firewall as a service built into Cato's global cloud platform. Active Directory integration capability for user identity based firewall policy enforcement the Cato Cloud aggregates all traffic from all sources including data centers, branches, mobile users, and cloud infrastructure into the cloud. Security policy is then applied on ingress and egress traffic including internet bound, all user traffic, both fixed location and mobile. This approach to security allows organisations to consolidate their security appliances and as Cato puts it, "Drop-The-Box". No longer are organisations tied to hardware life cycles and software updating and patching this is all managed by Cato Networks Security Experts.
Simplicity and Visibility
I have combined these 2 categories as they should really go hand in hand to be effective. Cato provides a simple and intuitive interface for administration and management functions. They also provide excellent visibility tools as part of analysing user, application and network traffic including security administration for proactive and reactive use. Their dashboard provides a summary view of the environment starting with a topology view of all sites connected to the cloud platform and capability to drill down for a more detailed view.
Menus and sub menus are categorised and ordered for efficient access to configuration and monitoring information. It does not take much time to find your way around the menu structure and configuration screens.
Cato Networks is the Swiss army knife of SDWAN cloud based network and security platforms. If you are looking for a simple SDWAN solution with a enterprise level advanced security stack then you should seriously consider Cato Networks. For me, Cato tick most of the boxes and address my key assessment criteria of integration, performance, security and simplicity and visibility.
References: Images and media courtesy of Cato networks. Retrieved from https://www.catonetworks.com/