cato networks
Cato is taking both the WAN and network security into the cloud

Since we spend most of our time and verbiage dealing with the challenges and problems associated with Cyber Security, we decided to supply our readers with some solutions too.  The analysts over at Expert Market Insight (EMI) have kindly agreed to help us with a new blog series focusing on cyber security solutions from leading vendors.  The first of these deep dives is on a new vendor in the enterprise space – CATO Networks.

cato networksAs the complexion of networks changes, from physical (hardware-based) to virtual (software / cloud-based), so the demands put upon network connectivity and

cato networks
Ofir Agasi, Director of Product Marketing at Cato Networks

security in multi-branch organizations also alter. Applying traditional network architecture and management under these circumstances, raises logistical and cost issues. Now companies have developed new cloud-based approaches that streamline, simplify and limit the cost of these processes. We met one Ofir Agasi, Director of Product Marketing at Cato Networks, a leading new-generation Security as a Service company, to learn more about how it overcomes the challenges and meets the needs of today’s multi-branch enterprises.


Security and Connectivity in the Multi-Branch Enterprise

Back in my day, we spent an awful lot of time and resources connecting remote branch sites to the corporate HQ.  We would design and preconfigure the kit, router, switches, firewalls, mail server and the like, pack it up and send it off.  Then we would typically fly out and spend almost a week onsite setting up and getting everything working.  And we never had to deal with the cloud or shadow IT.

A new software driven approach to WAN and Security

Cato networks, a network and security startup, is taking on these issues and more with a radically new approach driven by software.

Cato was co-founded only last year by serial entrepreneurs Shlomo Kramer, co-founder of Check Point, Imperva and Incapsula and Gur Shatz, founder of Incapsula. They came together with a strong track record in both enterprise security and networking to transform how companies connect and secure their networks, including remote sites and cloud access.  “The joint forces built a unique team” says Ofir Agasi, Director of Product Marketing at Cato.

The Challenges

Appliance sprawl

Many enterprises have outmoded legacy architectures when it comes to WAN, Cloud Access and security.  It seems every new security threat requires another dedicated appliance rolled out at each site, leading to an issue that Agasi refers to as “Appliance Sprawl”.  These days, there seems to be quite a few more boxes that need configuring, shipping and setting up.  To connect a remote branch securely, you need a truck load of appliances including NG firewall, IDS/IPS, Anti-virus, Anti-spam, VPN, content filtering and the list goes on and on. Even when all this functionality is rolled into a single UTM appliance, a top-end box is required at every site.  Not only is rolling out a new site a nightmare, but the ballooning management costs of the growth in network appliances is astronomical.

“Appliance sprawl makes it almost impossible for IT and security teams to stay ahead.  They must monitor, manage, configure, patch and update more and more appliances.  This situation is becoming untenable for many teams.”

Security, Speed and Compromise

Furthermore, the problem of “Appliance Sprawl” is not just a technical challenge. It has budgetary implications as well, and budget issues can often lead to compromise.  Agasi says, “Companies often don’t have the budget to put top end security appliances at every small regional branch.  Budgetary constraints can cause some compromise on security or make life exceedingly difficult for remote staff by backhauling traffic through the HQ to the internet and cloud.  ” High speed, high quality MPLS networks cost a bundle and the alternative of site-to-site Internet VPNs have their own security, latency and availability issues.

The Dissolving perimeter

Cloud has turned the traditional enterprise security perimeter to a hazy shade of gray.  Agasi says “Traditional solutions just aren’t built for this environment and they are failing to answer many of the new issues raised.  If users are accessing corporate applications and information in the cloud, where is the perimeter? When companies have made the strategic decision to shift resources and application to the cloud, it doesn’t make a lot of sense to backhaul traffic back through the corporate network.”  It only increases the RTT, lowers experience and puts unnecessary traffic on the line.  In many cases the mobile users are simply bypassing much of the corporate security and going directly to applications in the cloud.

“Cato is taking both the WAN and network security into the cloud, solving a lot of pain for IT and security teams on the way up.”

New architecture for the new age

In response to these challenges, Cato has created its own global secure network in the cloud.  It has constructed a network with interconnected regional Points of Presence (PoPs) assembled by means of Tier-1 data centers and carriers.  There are no physical appliances in Cato’s global cloud. Everything was built in software, from the bottom up, based on the principles of Software Defined Networking (SDN) – scalable, agile, faster.  Customers do not have to worry about appliance management, patching or capacity constraints.

From an architecture point of view, Cato connects all the business elements: The HQ, Datacenter, branches, cloud infrastructure, remote workers, mobile users, into a single logical, secure network in the cloud, where WAN and Internet traffic traverse the same secure network.

This means that over the middle mile, the Cato cloud acts like an MPLS network.  Traffic takes the shortest distance between two points, cutting down on routing hops, reducing latency and RTT.  The network will choose the optimal route, traffic is encrypted and Cato gives customers an SLA-backed latency.   Internet traffic goes from the company to the Cato cloud where its being inspected before exiting to the internet, Cato can also enable direct internet access from any location.

cato networks

The Socket – connecting business elements

Cato connects the business elements to its cloud via a device they call a “socket”.   The socket is a Layer-3 zero-touch tunneling device that opens a tunnel to the nearest Cato PoP.  It connects customers’ premises to the Cato cloud, and can support multiple ISPs’ channels and even support 4G LTE as a backup.  Cato has a mobile client too which connects mobile devices directly and securely to the corporate network and resources.  The Cato socket has eliminated the need for an edge router, firewall and a bunch of other appliances.  Cato has developed a full network security stack in the cloud – NGN firewall, app control, application control, IPS, URL Filtering, anti-malware and it is planning to add a lot more capabilities.

Agasi says” We have a customer that has 36 sites spread across the globe. They are already dependent on SaaS, using MS Azure SAP Hana and AWS. With Cato, everything is now connected to a single cloud and it simplifies management for them considerably.  They have now begun to decommission their traditional firewalls, routers and appliances.

The Cato service is sold monthly, per site per throughput, based on the actual usage.

More information is available here –

Jonathon Gordon, Directing Analyst, Expert Market Insight

Receive Weekly RoundUp

By clicking this button you agree to receive marketing communications from EMI

I agree to have my personal information transfered to MailChimp ( more information )