Cato Networks: Secure SD-WAN Solution

Cato Networks provides state-of-the-art technology for WAN and network security solutions. By har-
nessing the power of Software-Defined WAN (SD-WAN), Cato Networks is able to provide efficient
and more reliable connectivity solutions to contrast traditional mesh, heterogenic topologies. Cato Net-
works offerings include SD-WAN, global connectivity on an SLA-backed backbone and enterprise-
grade security services that are converged into a single cloud network. Advantages to using SD-WAN
architecture include improved WAN agility and availability, augmentation of existing MPLS networks
with cheaper broadband connections and a simplification WAN Management overall.

The Problem
Traditional networks and security impose heavy maintenance costs and man-hours due to software up-
grades, maintenance window downtime, vulnerability management and related activities. As compa-
nies move towards the cloud, backhauling cloud-bound traffic via central secure breakout overloads
the expensive MPLS network and adds unnecessary latency. Using point security solutions between
existing data centers and Amazon AWS or Microsoft Azure clouds can split firewall access control poli-
cies, allowing for potential attack vectors due to the high complexity. In situations of mobile user acces-
sibility to cloud-based applications, traditional access controls are bypassed completely. For all of
these reasons and more, companies should consider the Cato Networks solution.

1
 The Cato Cloud
Cato Networks offers a global, geographically distributed cloud network. The Cato Cloud is made of
Point of Presence (PoPs), interconnected by multiple tier-1 carriers. HA is provided via Cato’s use of
two Tier 1 carriers ensuring no hiccup or disruption in connectivity or availability of the backbone net-
work. The Cato backbone is SLA-backed and controls all routing. Traffic on the Cato backbone routes
on the same tier-1 carrier end to end, which pro-
vides MPLS-like latency on the middle mile.
Connectivity to the Cato Cloud is achieved using
the Cato Socket – replacing existing appliances
(FW and UTM). This simple device allows a
company’s remote location (e.g., HQ, branch,
datacenter) to connect to the Cato Cloud PoPs.
Collectively, these PoPs offer redundancy and
stability in their architecture. Cloud data cen-
ters, like Amazon AWS and Microsoft Azure,
can also be easily connected to the Cato Cloud
via a secure tunnel.

Cato PoPs

Cato Points of Presence or PoPs are machine clusters strategically located throughout the world
that together comprise the Cato Network. Cato Sockets are responsible for routing traffic from a
company’s network to the nearest PoP. All traffic between the Cato Socket and the PoP is en-
crypted over a VPN tunnel. Traffic in the Cato Network is contained in the dedicated SLA-
backed carrier backbone. There are approximately 34 PoPs across the globe providing redun-
dancy and high availability to the Cato Network. In the event of a failover, Cato Socket devices
will automatically connect to the nearest available PoP, ensuring no interruption to client serv-
ice.

2
Customer with 24 sites and data centers connects to the Cato Cloud

Cato’s Firewall-as-a-Service

Cato Networks offers a suite of amazing security services provided by Firewall as a Service (FWaaS).
The Cato FWaaS includes Next Generation Firewall, VPN, Secure Web Gateway, Anti-malware, IPS,
Secure Cloud and Mobile Access. All of the security services are proprietary to Cato for optimized per-
formance. Cato takes responsibility to update and patch their own network so the burden of appliance
maintenance is taken off the customer’s plate.

3
 The Cato Unified Policy
Once connecting the company sites, data centers, and mobile users to the Cato Cloud, all traffic (WAN
and internet) is being routed via the Cato Cloud for security inspection. This unique architecture al-
lows the company to set a single unified access and security policy for all sites and users regardless of
their physical location.

Cato’s WAN firewall policy

4
Cato’s internet firewall policy

Case Study: WannaCry

Even in the recent ransomware event called “WannaCry”, networks connected to Cato were protected
due to their heuristics-based IPS engine. The Cato security team is responsible for adapting its secu-
rity services to address the latest threats. The video at the end of this blog post demonstrates how Cato
stopped WannaCry spreading.

Summary

Considering the complexity that the network space is moving towards, Cato Networks offerings can
help companies streamline their WAN management and network security. The level of risk is mini-
mized by their dual Tier 1 backbone capability and their built-in redundancy via PoPs. When migrat-
ing away from traditional appliance-heavy WAN management and security appliances towards the
more reliable and affordable SD-WAN environment, Cato Networks is a clear choice.

5
 About The Reviewer
Natalie "Sunny" Wear
Natalie "Sunny" Wear, CISSP, GWAPT, CEH, SANS GSSP-JAVA & .NET, CSSLP is an Application

Security Architect and developer. Her breadth of experience includes network, data, application and

security architecture as well as programming across multiple languages and platforms. In her 20 years

of professional experience, she has participated in the design and creation of many enterprise

applications as well as the security testing aspects of platforms and services.

She is the author of several security-related books including her most recent entitled Secure Coding

Field Manual: A Programmer's Guide to OWASP Top 10 and CWE/SANS Top 25 (http://

www.amazon.com/SCFM-Secure-Coding-Manual-Programmers/dp/1508929572) which assists

programmers in more easily finding mitigations to commonly-identified vulnerabilities within

applications. She conducts security talks and classes locally and at conferences like BSides Tampa,

AtlSecCon and Hackfest.ca.

6
 About Cato Networks:

Cato Networks provides organizations with a cloud-

based and secure global SD-WAN. Cato delivers an

integrated networking and security platform that se-

curely connects all enterprise locations, people, and

data. The Cato Cloud augments or replaces MPLS,

eliminates branch appliances, provides direct, secure Internet access everywhere, and seamlessly in-

tegrates mobile users and cloud infrastructures into the enterprise network. Based in Tel Aviv, Israel,

Cato Networks was founded in 2015 by cybersecurity luminary Shlomo Kramer, who previously co-

founded Check Point Software Technologies and Imperva, and Gur Shatz, who previously co-

founded Incapsula. For more information, visit http://www.catonetworks.com and Twitter: @CatoNet-

works.