This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
The advent of worker mobility and cloud computing have played havoc with the traditional network perimeter. At one time the perimeter was a well-established concept. All of our users, locations, data centers and applications were inside this zone protected by strong network security. That notion seems almost quaint today.
With mobile users and data and applications in the cloud, the old perimeter has basically dissolved, leading to the development of entirely new security tools—secure web gateways, cloud access security brokers, enterprise mobility management, and so on. These new products and services augment the traditional network security stack of firewalls, anti-virus, email and web filtering, etc.
Because companies today tend to be more global with more branches in more locations, there's a need to have a network security stack in every location. That makes for a costly, complicated security environment that can be difficult to maintain and evolve.
Cato Networks is taking a new approach. The company, which launched in February 2016, was started by people from companies such as Check Point Software, Imperva, Palo Alto Networks, Trusteer and Barracuda Networks. They understand both networking and security, which enables Cato to offer network security as a service.
Cato believes the current network topology is one of the root causes of all this complexity. As an alternative, Cato connects the different elements of the typical enterprise – the headquarters, the data center(s), branches, the cloud infrastructure which is part of the external network, and the mobile users – into a new perimeter in the cloud. This perimeter carries both the wide area network traffic between the elements and the Internet bound traffic from these elements. Essentially, Cato is consolidating all of the traffic that crosses boundaries in the enterprise in a cloud network.
Once that traffic is consolidated, Cato can apply a set of cloud-based network security services that are built directly into the network. The network itself runs the security services that are needed to protect the traffic going to/from the HQ data center, branches, the cloud infrastructure and mobile users. If an organization wants to establish unified policy across all traffic – i.e., between users and the cloud, users and the data center, branches to the data center, etc. – Cato is in a position to enforce that policy because it has consolidated the network and the security stacking.
Cato Networks is building a proprietary global network of points of presence. The objective is to have each of the PoPs to be within 25 milliseconds of every business user. The Cato Cloud Network is still in development, but Cato already has strong coverage in North America, central Europe and Asia, with rapid development beyond those geographies.
The PoPs are interconnected with multiple Tier 1 carrier backbones. Cato essentially buys wholesale capacity from the carriers. When Cato puts a packet on the network in, say, California, the packet runs on the backbone all the way to Asia. The carriers guarantee a certain SLA for that packet between the destinations, which allows Cato to achieve MPLS-like latency over the long haul.
The Cato Cloud Network controls the routing and the latency of packets on a global scale—not over the open Internet where latency is unpredictable because the route is unpredictable, but over a predictable and SLA-backed backbone. Cato improves reliability by using multiple links and load-balancing among them. If one carrier is experiencing an issue, Cato can make a packet by packet decision to move to another carrier. Moreover, the company performs all sorts of optimizations on these backbones to minimize packet loss and jitter, and all of the data on the backbone is encrypted.
If this sounds like SD-WAN, there are some distinctions. One is that SD-WAN typically deals with the branch/data center dynamics, but the Cato Cloud Network expands the footprint to include direct connectivity for cloud infrastructure and to mobile users. Also, Cato manages the middle mile instead of using an open Internet connection, which delivers a better level of service. A third differentiator is Cato's inclusion of a full security stack, whereas today's SD-WAN solutions have to bolt security on.
The Cato Cloud Network is the first building block of what the company calls "a better network." The next step is to connect enterprises to this backbone. The basic concept is that every entity within an enterprise (i.e., HQ data center, cloud data center, branch or mobile user) that needs to connect to the backbone establishes a secure tunnel from that entity to the nearest Cato PoP. The entities connect in various ways, as shown in the graphic image.
For an on-premises data center with a firewall, the enterprise can open up an IPsec tunnel from that firewall to the Cato cloud and forward traffic from that location to Cato. If it is a branch that has no equipment there, Cato provides a small zero touch appliance that simply forwards packets from the branch to the nearest Cato PoP. A virtual socket can connect an Amazon AWS data center to tunnel the traffic from that virtual private cloud to the Cato cloud. And finally, mobile devices are configured with the Cato Client, which is very similar to a VPN client but it connects to the nearest Cato PoP. Cato Client is available for Mac, Windows, iOS and Android to facilitate end users plugging into the backbone.
Across all of these entities, Cato abstracts the network so the customer sees one unified network regardless of which PoP the entities are connected to. This establishes high quality, low latency connectivity between all the different elements. This is the wide area network part of the solution.
On top of that, Cato layers on a full network security stack directly into the network. Because the software-based security services themselves are in the cloud, they run on every PoP, making the full stack available everywhere that entities connect to the Cato network. The customer doesn't need to do anything to service or maintain the security; Cato is responsible for updating, maintaining and evolving the security services.
The customer controls its own unified policy across all the elements. For example, the security includes a next generation firewall with application control, so it is fully application aware. The customer can set policies on application access as well as URL filtering capabilities. The customer could, for instance, set one type of policy for Facebook or other social media applications and another policy for Salesforce and Office 365. The customer gets total application visibility to see who is going to which applications, and what they are doing, both on the WAN and the Internet. The unified policy is configured and managed through a cloud-based management console.
Cato says there are several notable use cases for its Cato Cloud Network, including:
- Providing secure direct Internet access from branch locations, eliminating the need to backhaul traffic through the HQ data center
- Offloading Internet traffic from expensive MPLS links
- Eliminating physical security appliances in branch locations
- Unifying policy across a hybrid cloud environment
- Creating a low-latency WAN with MPLS-like service throughout
- Bringing mobile users into the network securely, and giving them direct access to the Internet
The Cato Cloud Network is in production mode for the entire platform and the footprint is expanding rapidly as more PoPs are established. The company believes it has a better model for overcoming many of the networking security challenges that continue to vex distributed enterprises.