Cato Networks has added an intrusion prevention system (IPS) to its SD-WAN offering. The IPS extends the startup’s security capabilities, which already include a next-generation firewall, secure Web gateway, and reputation filtering.
Cato says it has developed its IPS technology in-house, and will be responsible for providing all signatures and updates to customers.
Cato Networks is building out a suite of security services to help distinguish itself from a crowded SD-WAN field. While other SD-WAN vendors are also layering on security features, Cato believes that its architecture provides a leg up against the competition.
That architecture includes a constellation of PoPs connected via a private backbone. Within these PoPs, Cato has built a cloud-like software platform that can scale up to apply a variety of services to customer traffic, including the above-mentioned security functions.
How It Works
As with other SD-WAN companies, Cato’s platform includes a customer premises appliance (hardware or virtual) that sits at the edge of the remote or branch office. Cato calls this appliance a Socket.
The Socket performs standard SD-WAN functions including using DPI to identify traffic, applying policies around which link to use for which traffic (i.e. broadband or MPLS), applying QoS, encrypting outbound traffic, and so on.
Where Cato diverges from most other SD-WAN vendors is the Cato Cloud, a series of global points of presence (32 to date) that are connected via Cato’s own private backbone. A customer’s traffic comes from the Socket, across the customer’s link of choice, and into a Cato PoP.
Within the PoP, Cato applies services, such as the newly announced IPS, and then routes the traffic across its backbone to the Cato PoP that’s most appropriate for the destination (‘appropriateness’ being some combination of physical location and network performance).
Avoiding Appliance Limitations
As mentioned earlier, Cato positions this architecture as a differentiator compared to competitors that are adding security functions to their gateway devices. As these appliances take on more functions, there’s a potential performance impact.
In addition, the compute and bandwidth capacity of a hardware appliance is fixed; the CPU, memory, storage, NIC, and/or ASIC that comes with the box is what you get, and that’s it. If you want an upgrade, you typically have to buy a new box.
Cato argues that it avoids hardware limitations because the software running in its PoPs has been designed with cloud principles, meaning compute, storage and other resources can scale automatically to adjust to performance demands.
That’s certainly handy if you’re decrypting traffic, running it through a series of security services, taking policy-based actions on the results of those services, and then rencyrpting and forwarding that traffic.
In other words, rather than try to cram more functions into a box that sits at the customer premises and risk performance constraints, Cato shifts the heavy lifting into the cloud.
I generally agree with Cato’s assertion that a scalable, cloud-like architecture has performance benefits over the fixed capabilities of a box.
The question is whether Cato has actually developed a software platform that lets customers lard on security services without a performance penalty. Potential customers will have to test and analyze Cato’s claims here.
And then there’s the standard tradeoffs that come with IPS. These tradeoffs aren’t unique to Cato; every vendor that delves into detection and prevention wrestles with analysis, signature development, false positives, and false negatives.
There’s also the balancing act that comes with blocking traffic; customers have to decide whether blocking some legitimate traffic is worth filtering out more attacks or vice-versa.
Despite those caveats, it seems clear to me that the SD-WAN movement will exert pressure on vendors who sell security appliances for branch and remote offices.
As Cato and others demonstrate, more security filtering features are being added to SD-WAN offerings, whether at the premises device or in the cloud. As the SD-WAN gateway swallows more functions, it will be harder for other vendors to justify the costs of standalone security products.