How Cato Networks Builds Secure SD-WANs with SASE

eWEEK PRODUCT ANALYSIS: The SASE (Secure Access Service Edge) model brings security and mobility to SD-WANs. Here’s a hands-on look at Cato’s SASE platform.


Enterprises are adopting SD-WAN (software-defined wide-area network) technology as a means to reduce costs, advance digital transformation, improve network resilience and move away from legacy network connectivity offerings, such as MPLS.

[Editor’s note: Multiprotocol Label Switching (MPLS) is a routing technique in telecommunications networks that directs data from one node to the next based on short path labels rather than long network addresses, thus avoiding complex lookups in a routing table and speeding traffic flows.]

While SD-WANs can solve a number of connectivity problems, cybersecurity still remains a concern. After all, if an SD-WAN connects out to the public cloud over the public internet, there is a potential for data leakage, as well as data interception.

To assuage the cybersecurity concerns surrounding SD-WANs, Gartner’s leading security analysts, Neil MacDonald, Lawrence Orans and Joe Skorupa came up with the Secure Access Service Edge (SASE) model. Gartner presents SASE as a way to collapse the networking and security stacks of SD-WANs into a fully integrated offering that is both easy to deploy and manage. Simply put, Gartner sees SASE as a game changer in the world of wide area networking and cloud connectivity. The research house expects 40% of enterprises to adopt SASE by 2024.

However, a significant challenge remains, networking and cybersecurity vendors are still building their SASE offerings, and very few are actually available at this time. That is where Cato Networks comes into the picture; this Israeli company is offering a fully baked SASE solution and has been identified as one of the leaders in the SASE game by Gartner Research.

Gartner defines SASE as an identity-driven connectivity platform that uses a cloud -native architecture to support secure connectivity at the network edge that is globally distributed. More simply put, SASE combines the connectivity flexibility of an SD-WAN with the cybersecurity paradigms that can now be integrated directly into the network stack. Cato Networks has successfully combined those four main characteristics of SASE into a cloud-based offering.

A closer look at Cato Networks’ SASE platform

Like most SD-WAN-based solutions, Cato’s platform works at the edge of the network, where the LAN connects to the public internet, to access cloud or other services. As with other SD-WAN offerings, the edge must connect to something beyond the four walls of the private network. In Cato’s case, the company has created a global, geographically distributed private backbone, which is connected via multiple network providers. In essence, Cato has built a private cloud that can be reached over the public internet.

That global private backbone incorporates the elements of SASE and brings forth fully converged networking and security to each edge connection. Cato makes that possible with the Cato Socket, Cato’s SD-WAN device. The Socket is a physical appliance (or virtual one for the cloud) that routes all traffic from the edge to the closest cato PoP (Point of Presence). There are more than 50 cato PoPs, and those POPs share the data-center footprint of the major cloud providers, meaning that not only is there a Cato POP close to all major business centers worldwide, but that latency from Cato to your cloud provider is likely to be nominal at most. Cato’s global routing optimization significantly reduces latency when compared with the public Internet. Throughput is also improved by the WAN optimization built-into the Cato software.

With the core security and networking processing occurring in the Cato Cloud, the Cato Socket brings enough networking capabilities to overcome last-mile issues and bring the traffic into the nearest Cato PoP. The device implements QoS prioritization, which can be driven by applications, users and other definable elements. The Socket also institutes other traffic management capabilities, such as dynamic path selection and the ability to connect to a mix of fiber, cable, XDSL, 4G/LTE and MPLS connections.


At left: The Cato X1700 Socket is Cato’s SD-WAN device that’s designed for the needs of the datacenter.

At right: The Cato X1500 Socket is Cato’s SD-WAN device designed for the needs of the branch office or data center. 


Another interesting aspect of the Cato Cloud are the security as a service offerings. Cato has built a full suite of enterprise security capabilities into its SASE model, meaning that customers can add security layers without having to configure additional devices on premise. For example, the Cato Cloud offers an application-aware next-generation firewall-as-a-service (FWaaS), secure web gateway with URL filtering (SWG), standard and next-generation anti-malware (NGAV) and a managed IPS-as-a-Service (IPS). The company extends the concept of network security down to the endpoint with a managed threat detection and response (MDR) service, which detects compromised endpoints.

Those available options allow enterprises to reduce hardware needs at branch offices and make deploying unified security policies a little easier for administrators. What’s more, the as-a-service model eliminates the need for patching, manual upgrades and other time-consuming tasks that on-premise security appliances usually require.

The company also offers Cato Cloud connectivity options for mobile users and their respective endpoints. Remote or mobile users can connect to the Cato Cloud using the Cato Client application or via clientless browser access, which establishes a software-defined perimeter (SDP). Remote and mobile users authenticated into the Cato Cloud connected via SDP will also benefit from latency reduction, application acceleration and route optimization. Unlike a virtual private network, Cato does not require a dedicated VPN appliance at a primary site. Instead, mobile users automatically connect to the nearest Cato PoP, eliminating the latency that a VPN usually adds to any connection.

Deploying the Cato SASE platform

Cato makes it quite easy to implement SASE, thanks to a well-thought-out deployment process. For most installations, it takes little more than installing and connecting the Socket SD-WAN device to the internet. Configuration is done via the Cato’s central management console, which offers ample help, as well as recommended settings. The Cato Sockets are “internet aware,” meaning that as soon as the device is plugged into a viable internet connection, the device will automatically download the latest firmware, further easing the initial deployment. Once the socket is associated with a site, it will also automatically pull down the enterprise’s configuration and rule sets. Adding branch offices can be accomplished in a matter of minutes.

Those deploying the Socket SD-WAN Device do need to be aware of their connectivity options, and for most deployments, there are usually multiple connectivity paths used for failover and or load balancing. In many cases, those adopting the Cato SASE Platform are also looking to depreciate and retire MPLS connections or other legacy technologies. That means it is critical that the selected replacement is up and running before making that switch over.

However, Cato does not force deployers to immediately switch over to new connectivity providers. The platform supports hybrid WAN configurations where legacy connections (typically MPLS) run those in parallel with new connections to the internet. This allows network managers to transition away from MPLS circuits at their own pace or retain them for business continuity purposes.

Those supporting mobile or remote users will find adding users to the Cato Cloud simple as well. Remote users can choose to connect using the Cato client application or connect with a browser. Of course, support personnel can simply email the client file and guide remote staffers through the initial setup process or automate it completely if an ITSM/RMM solution is in place.


At left: The Cato Management Console allows enterprise to easily monitor and manage their network and security infrastructure.


With analysts from IDC predicting the SD-WAN market to reach $8 billion by 2021, it is not a question of if, but one of when for an enterprise to adopt an SD-WAN. That said, there are a multitude of SD-WAN options on the market today, but very few, if any, currently offer the ease of deployment and management that Cato does. What’s more, Cato also introduces the security of SASE, helping to flatten the networking and security stacks into a single stack that is more robust, easier to manage and easier to scale.

There are very few nits to pick with Cato’s implementation of the SASE model. Better reporting tools would definitely prove beneficial for those monitoring network loads, usage and availability.

Pricing varies based on configuration. Enterprise deployments of converged SD-WAN and security platform with built-in cloud integration and WAN optimization across a global backbone typically start at $25,000.

Frank Ohlhorst is a veteran IT product reviewer and analyst who has been an eWEEK regular for many years.